On Thursday, February 23, CloudFlare, a major Web service provider, disclosed a vulnerability in their infrastructure. This vulnerability has the potential to expose data from Web traffic that uses CloudFlare’s CDN (Content Delivery Network). CloudFlare handles a large share of Web traffic on the Internet, and has a reputation for security transparency. Personal Capital is a customer of CloudFlare and uses their CDN service to handle their Web traffic.
Personal Capital has received direct assurance from the CloudFlare security team that “your domain is not one of the domains where we have discovered exposed data in any third-party caches. The bug has been patched,” and “To date, we have yet to find any instance of the bug being exploited.”
We have done an independent analysis, and based on the nature of the issue, we are confident that none of our encryption keys have been compromised. While there is a wide area of potential exploits in a large-scale vulnerability like this, the actual probability of risk to any individual user in this case is extremely low.
What Should I Do?
This type of vulnerability is a good reminder to all of us to practice good security hygiene for our financial information on the internet. Our recommendations to all users are:
- Use a financial data aggregation service such as Personal Capital for viewing your financial data, rather than logging in directly to your bank website. This reduces exposure of your banking passwords on the Internet.
- Regularly monitor all of your financial accounts for unusual activity. Personal Capital’s financial dashboard, and our daily transaction monitoring email, are great ways to do this. We recommend that security-conscious users review their financial transactions twice per week.
- Always exercise good password hygiene at financial institutions or other sensitive websites. This includes using long, random passwords rather than simple words, not using the same password at multiple sites, and changing passwords on a regular basis.
The likelihood of a problem is low, but caution is advised and our service makes it easy to monitor your accounts.
Is My Information at Personal Capital Safe?
Yes. And your Financial Institution (FI) passwords are heavily protected. The Personal Capital financial dashboard allows you to link your accounts from your financial institutions to give you a comprehensive view of your financial life. The credentials you provide us have many safeguards that are designed to protect your security and prevent compromise of these passwords.
The only time that your FI password ever passes between your browser and our website is when you first link your account (or when you update your FI password). We never send an FI password back from our service to your browser. So even in the event that your Personal Capital account were compromised (e.g. if you gave someone else your Personal Capital password), no attacker could ever obtain your FI passwords via your Personal Capital account.
Where can I can read more information?
CloudFlare’s disclosure of their issue is available at: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
For more information about security and Personal Capital:
For more understanding about how account aggregation helps keep your financial data secure: