A security vulnerability, that is now being referred to as 'Cloudbleed', was reported by CloudFlare on February 23, 2017. The vulnerability led to an unknown amount of data being leaked as it was transmitted through Cloudflare systems, including passwords, API keys, and email addresses.
The bug has been in place for many months, but reached its greatest point of impact between February 13 and 18. As of today, it is unknown if any malicious agent knowingly exploited this bug during that timeframe and if all the leaked data has been 100% scrubbed from all potential systems it could have been cached in, including search engines.
OneLogin does not use CloudFlare, therefore our users were not exposed to this bug through our service. However, similar to Heartbleed, OneLogin highly recommends you review all the vendors you use for corporate and personal purposes and determine if any action is needed on your part. This could take the form of resetting passwords, authentication factors, API keys, and other secrets that might been exposed.
OneLogin is also validating that our own vendors were not impacted by Cloudbleed and we will continue to monitor the situation.