Internet firm Cloudflare has disclosed that a bug in its software has let hundreds of thousands of web pages leak private user data such as passwords and messages.
The leak reportedly leaves millions of users at risk of being hacked or having their private data leaked on the web.
The security bug affects users of sites such as 1Password, Uber, OK Cupid, Fitbit, The Pirate Bay, The Washington Times, Medium, Yelp and Whatismyip.com.
A full list of the websites affected by the leak can be found here.
Google security expert Tavis Ormandy first uncovered the problem and informed Cloudflare about the issue on February 18. However, in a blog post, Cloudflare admitted its service had been leaking information for months.
But it did say that there is no sign yet that the leak has been exploited by hackers.
The company also said the problem was due to an error in the coding of its software, which had now been fixed.
Cloudflare uses its content delivery network to help some 6 million websites push its content around the internet.
It does this to help the sites reach as many people as possible while also helping to reduce the risk of so called Denial of Service Attacks or DDoS, which took knock the websites offline.
The bug meant that websites passwords, authentication tokens and cookies were leaked online in plain text format, Cloudflare said in a blog post.
“We’ve seen absolutely no evidence that this has been exploited,” said Cloudflare Chief Technology Officer John Graham-Cumming
“It’s very unlikely that someone has got this information.”
Both Uber and 1Password issued statements on Friday denying that any user passwords had been leaked online.