CloudFlare Security Notice

in Personal Capital News by

On Thursday, February 23, CloudFlare, a major Web service provider, disclosed a vulnerability in their infrastructure. This vulnerability has the potential to expose data from Web traffic that uses CloudFlare’s CDN (Content Delivery Network). CloudFlare handles a large share of Web traffic on the Internet, and has a reputation for security transparency. Personal Capital is a customer of CloudFlare and uses their CDN service to handle their Web traffic.

Personal Capital has received direct assurance from the CloudFlare security team that “your domain is not one of the domains where we have discovered exposed data in any third-party caches. The bug has been patched,” and “To date, we have yet to find any instance of the bug being exploited.”

We have done an independent analysis, and based on the nature of the issue, we are confident that none of our encryption keys have been compromised. While there is a wide area of potential exploits in a large-scale vulnerability like this, the actual probability of risk to any individual user in this case is extremely low.

What Should I Do?

This type of vulnerability is a good reminder to all of us to practice good security hygiene for our financial information on the internet. Our recommendations to all users are:

  • Use a financial data aggregation service such as Personal Capital for viewing your financial data, rather than logging in directly to your bank website. This reduces exposure of your banking passwords on the Internet.
  • Regularly monitor all of your financial accounts for unusual activity. Personal Capital’s financial dashboard, and our daily transaction monitoring email, are great ways to do this. We recommend that security-conscious users review their financial transactions twice per week.
  • Always exercise good password hygiene at financial institutions or other sensitive websites. This includes using long, random passwords rather than simple words, not using the same password at multiple sites, and changing passwords on a regular basis.

The likelihood of a problem is low, but caution is advised and our service makes it easy to monitor your accounts.

Is My Information at Personal Capital Safe?

Yes. And your Financial Institution (FI) passwords are heavily protected. The Personal Capital financial dashboard allows you to link your accounts from your financial institutions to give you a comprehensive view of your financial life. The credentials you provide us have many safeguards that are designed to protect your security and prevent compromise of these passwords.

The only time that your FI password ever passes between your browser and our website is when you first link your account (or when you update your FI password). We never send an FI password back from our service to your browser. So even in the event that your Personal Capital account were compromised (e.g. if you gave someone else your Personal Capital password), no attacker could ever obtain your FI passwords via your Personal Capital account.

Where can I can read more information?

CloudFlare’s disclosure of their issue is available at:

For more information about security and Personal Capital:

For more understanding about how account aggregation helps keep your financial data secure:

The following two tabs change content below.
Fritz Robbins

Fritz Robbins

Chief Technology Officer at Personal Capital
Fritz is the Chief Technology Officer at Personal Capital, responsible for the architecture, implementation, and operation of our software products and services, and our infrastructure. He is a recognized technology leader in the financial services world, with over 20 years experience in delivering secure financial systems at Internet scale. Fritz holds an M.S. (Computer Science) from Stanford and a B.S. (Engineering) from George Washington.
Fritz Robbins

Latest posts by Fritz Robbins (see all)

Leave a Reply

Your email address will not be published.

Disclaimer. This Website may contain links to third-party websites. These links are provided solely as a convenience to you and does not imply an affiliation, sponsorship, endorsement, approval, investigation, verification, or monitoring by PCAC of the contents on such third-party websites. Please be advised that PCAC is not responsible for the content of any website owned by a third party.