Wise and Cloudflare

You may have read in the press that Cloudflare - a service provider that Wise uses - was affected by a bug. That bug meant some of Cloudflare’s customer data was exposed.

As soon as we were aware of this, we got in touch with CloudFlare to establish whether Wise data was affected. We also launched our own checks.

We’ve done a full investigation alongside Cloudflare, and we are confident that Wise customer data is safe. We've included a detailed explanation at the bottom of this post.

What does Wise do to protect customer data?

We’ve got a specialised, in-house team that look after security. It’s their job to keep customer data watertight. They continually review and update our processes to ensure the integrity of our platform.

On top of that, we’re constantly monitoring and testing all of our services. This makes sure that our customers’ data is secure - and always protected. Plus, all communications between customer devices and our platforms are encrypted.

You can read more about our security systems on our FAQs.

Do I need to change my Wise password?

No, you don’t need to. But this is a good time to recap on some password best practice:

• Make sure it’s strong - a strong password is long, made up of numbers and symbols, as well as both uppercase and lowercase letters.

• Use different passwords across different websites and services - this means that if someone who isn’t you gets your password, they can only use it on one website.

Wise and Cloudflare - behind the headlines

We thought we'd share some of the background to how we deal with technical issues like the Cloudflare bug that was reported overnight.

It’s an extremely serious issue. There’s also a lot of wild speculation around - especially on social media. So we thought some readers would be interested in the facts.

What happened?

The Wise team became aware of the Cloudflare bug early this morning. We immediately got in touch with CloudFlare to find out how our services were affected. We also began our own investigation.

What was the issue?

You can find a full description of the issues on Cloudflare’s blog, and on the Project Zero bug report.

It’s important to note the nature of the leaks. At its peak, roughly 1 in every 3.3 million requests had the potential to leak into someone else's session. These leaks would often result in being rendered in a browser as meaningless characters in the bottom of the screen.

There’s no evidence that anyone was harvesting this transient leaked data for malicious purposes. But the internet has a ‘memory’ in the form of caches maintained mainly by search engines.

In the time between being informed of the bug and it being made public, Cloudflare has been constantly searching these caches for any of the inadvertently leaked information. The greatest threat (given that the bug itself was fixed) was for someone to harvest the leaked data from these caches.

What’s the outcome?

Both the Cloudflare and Wise teams are confident that no identifiable Wise or Wise customer data was found in these caches.

Some of our partners also use Cloudflare. So as a precaution, we’ve reset any credentials that we use to connect to those partners and service providers, such as API tokens. We’ve done this because these credentials are used repeatedly, and that means they’re statistically more likely to have been leaked.

We’ll be closely monitoring this situation over the coming days and weeks. And if you’ve got any questions at all, you can get in touch with us. We're happy to answer your questions.