This morning we have been made aware of a security vulnerability affecting Cloudflare, a major internet infrastructure company and our Content Delivery Network (CDN) provider.
All traffic to Hypothesis passes through Cloudflare’s servers in order to improve the performance and security of our service. Unfortunately, it appears that a bug in Cloudflare’s software may have leaked some traffic that should have been private into the pages it served for other customers’ sites. Put simply: it’s possible that communications that should have been private between our users and Hypothesis were not.
At the moment we have no evidence to suggest that any Hypothesis user’s private data was leaked as part of this vulnerability, but we are taking steps to minimise the risks posed by any possible disclosure.