Cloudflare just sent out this email to customers:<p>Dear Cloudflare Customer,<p>We're reaching out to make you aware of a Workers KV vulnerability, and the details you'd need to determine if you were impacted. We do not have reason to believe any Workers KV customers were impacted by the vulnerability, but we wanted to disclose information in an abundance of caution. This only affected users of Workers KV (about 0.034% of Cloudflare customers) and not other Cloudflare products or customers. You are completely unaffected if you never made your Namespace’s ID public or available to a third party.<p>Summary: If you made public (for example in source code), or gave a third-party access to, a Workers KV Namespace’s ID (which is an unguessable, random 122 bit value, a UUID4), the third-party could have used it to read or modify content in that Namespace.<p>Remediation: We have fixed this vulnerability. After receiving a report from a security researcher, we were able to confirm the existence of the vulnerability on October 14, 2019 at 12:53:21 -0500 and we prepared and released a patch which was completed that day at 16:45:38 -0500.<p>Impact: We have reviewed logs going back at least 30 days for API access and one year for direct access and there was no abuse during those time periods. While we believe any earlier unauthorized access is extremely unlikely, we are erring on the side of caution and sharing this information with you.<p>If you made your Namespace’s ID public, you may wish to review the information stored in your Workers KV Namespace and take action to secure any sensitive information. For example, if you were using Workers KV to store access tokens, you may want to expire and rotate them.<p>Cloudflare works closely with security researchers through HackerOne. We are grateful to the researcher who found and reported this vulnerability, and we have paid a bug bounty. We care deeply about security, and we regret any inconvenience this may cause.