TransferWise and Cloudflare

24.02.17
3 minute read

You may have read in the press that Cloudflare - a service provider that TransferWise uses - was affected by a bug. That bug meant some of Cloudflare’s customer data was exposed.

As soon as we were aware of this, we got in touch with CloudFlare to establish whether TransferWise data was affected. We also launched our own checks.

We’ve done a full investigation alongside Cloudflare, and we are confident that TransferWise customer data is safe. We've included a detailed explanation at the bottom of this post.

If you have any questions about this, you can get in touch via support@transferwise.com.

What does TransferWise do to protect customer data?

We’ve got a specialised, in-house team that look after security. It’s their job to keep customer data watertight. They continually review and update our processes to ensure the integrity of our platform.

On top of that, we’re constantly monitoring and testing all of our services. This makes sure that our customers’ data is secure - and always protected. Plus, all communications between customer devices and our platforms are encrypted.

You can read more about our security systems on our FAQs.

Do I need to change my TransferWise password?

No, you don’t need to. But this is a good time to recap on some password best practice:

  • Make sure it’s strong - a strong password is long, made up of numbers and symbols, as well as both uppercase and lowercase letters.

  • Use different passwords across different websites and services - this means that if someone who isn’t you gets your password, they can only use it on one website.


TransferWise and Cloudflare - behind the headlines

We thought we'd share some of the background to how we deal with technical issues like the Cloudflare bug that was reported overnight.

It’s an extremely serious issue. There’s also a lot of wild speculation around - especially on social media. So we thought some readers would be interested in the facts.

What happened?

The TransferWise team became aware of the Cloudflare bug early this morning. We immediately got in touch with CloudFlare to find out how our services were affected. We also began our own investigation.

What was the issue?

You can find a full description of the issues on Cloudflare’s blog, and on the Project Zero bug report.

It’s important to note the nature of the leaks. At its peak, roughly 1 in every 3.3 million requests had the potential to leak into someone else's session. These leaks would often result in being rendered in a browser as meaningless characters in the bottom of the screen.

There’s no evidence that anyone was harvesting this transient leaked data for malicious purposes. But the internet has a ‘memory’ in the form of caches maintained mainly by search engines.

In the time between being informed of the bug and it being made public, Cloudflare has been constantly searching these caches for any of the inadvertently leaked information. The greatest threat (given that the bug itself was fixed) was for someone to harvest the leaked data from these caches.

What’s the outcome?

Both the Cloudflare and TransferWise teams are confident that no identifiable TransferWise or TransferWise customer data was found in these caches.

Some of our partners also use Cloudflare. So as a precaution, we’ve reset any credentials that we use to connect to those partners and service providers, such as API tokens. We’ve done this because these credentials are used repeatedly, and that means they’re statistically more likely to have been leaked.

We’ll be closely monitoring this situation over the coming days and weeks. And if you’ve got any questions at all, you can get in touch via support@transferwise.com.

TransferWise is the smart, new way to send money abroad.

Find out more