Jeff Johnson

The real story here is that Cloudflare is admitting to be a MITM attacker who is reading all of your private data going over the web.

https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/

Password reuse is rampant: nearly half of observed user logins are compromised

Nearly half of observed login attempts across websites protected by Cloudflare involved leaked credentials. The pervasive issue of password reuse is enabling automated bot attacks and account takeovers on a massive scale.

The Cloudflare Blog
Mar 18, 2025 at 11:17amWeb
Show threadEspenMar 18, 2025
@lapcatsoftware I don't understand how web-apps using Cloudflare are GDPR-compliant. This MITM-stuff, same for certs, is exactly why I didn't consider migrating to services such as Render which rely on Cloudflare for DNS.
Show threadjmcunxMar 18, 2025

I wish I could be surprised that cloudflare seems to be spying on us. Plus they can see password hash ? wow.

Anyway, yet another reason people should use a reputable #vpn service.

Show threadLightMar 21, 2025
@jmcunx A VPN won't help secure passwords
Show threadFunnyLookinHatMar 18, 2025

@lapcatsoftware I mean... it's opt-in behavior... so labeling it "attacker" is a bit hyperbolic.

> As part of our Application Security offering, we offer a free feature that checks if a password has been leaked in a known data breach of another service or application on the Internet. When we perform these checks, Cloudflare does not access or store plaintext end user passwords.

Show threadJeff JohnsonMar 18, 2025
@funnylookinhat It's opt-in for the website host. It's NOT opt-in for the website user.