Even though they weren't affected much and no one would have called them out if they didn't do this, the fact that they did such a nice job of dissecting the situation and deploying the appropriate measures is really, really good.<p>Love monzo. <3
Great that they respond so clearly and quickly.<p>One question - does anyone else feel that having NGINX as the only link in the summary kind of suggests that it's an nginx problem? I could imagine my previous boss reading the article, and 3 months later saying, "Wait what, we're using nginx??? Isn't that that shit that made cloudbleed happen?"
Honest question, this is far from my area of expertise: I get why you would put Cloudflare on a public website -- but what is the benefit of wrapping the authenticated, dynamic parts of a website/service in Cloudflare? These are things you would want to never get cached, and, I suppose, you would want end-to-end TLS'd into your own network?
The Monzo's response is much more re-assuring compared to Cloudflare's:<p><pre><code> > "We've seen absolutely no evidence that this has been exploited," he told Reuters by phone.
> "It's very unlikely that someone has got this information."
</code></pre>
<a href="http://www.reuters.com/article/us-cyber-cloudflare-idUSKBN1630RT" rel="nofollow">http://www.reuters.com/article/us-cyber-cloudflare-idUSKBN16...</a>
> A bug in an NGINX module used by Cloudflare’s edge proxies<p>More precise: a bug in a proprietary closed source module for NGINX used in-house at Cloudflare.
If I understood the issue correctly, then "Transaction information" and "Customers’ personally identifiable information" via the Developer's API <i>were</i> potentially affected.
Great response from Monzo. I live in Scotland and it's amazing the difference companies like monzo have compared to regular banks (see the tesco bank fiasco)