DATA LEAK/BREACH REPORT FOR MY SEARXNG SERVICE (14 NOV 2023–8 DEC 2023) --Data Leak Summary: Time: 14 NOV 2023–8 DEC 2023 Recipients: Cloudflare, Inc., the ZhaoCloud administrator Content: All requests from clients --Data Disclosure Summary: Recipient: One third party Non-recipients: Two third parties Content: 1 log with IP, without request content Compelled: No Reason: Debugging On 14 Nov 2023, I closed my SearXNG service and set a DNS record pointing to a page hosted on Cloudflare. However, I forgot about Cloudflare's firewall. If you sent a search request to that page (via a browser search bar), Cloudflare would treat the request as harmful because it targeted a nonexistent source. You might have seen a Cloudflare CAPTCHA or error page. All your data, including search content, IP address, and user agent, were sent to and recorded by Cloudflare during this time. On 8 Dec 2023, I realized the problem and immediately removed the DNS record for s.zhaocloud.net. I tried to find a way to request that Cloudflare delete the firewall logs. Since Cloudflare provides very limited support for the free plan and I have no experience dealing with them, I ultimately did not contact them. According to my Cloudflare dashboard, the logs can be viewed for two weeks. I did not export these logs and have now lost access to them. However, I do not know how long Cloudflare actually keeps this data in their system. In order to debug the issue, I reviewed several logs manually through Cloudflare's web console. Some logs were briefly cached on my local computer. I did not attempt to decode any content using tools and do not remember any of it. I shared one log with a third party I trust after removing the request content. I intended to remove the IP address as well; I covered one IP address, but another remained visible in the screenshot. My purpose was to show the third party the data format and ask for help. A messaging service and an online IP database may have access to the IP address. I am deeply sorry. Written in July 2024 Edited and published on 10 Feb 2026 V2 我的 SEARXNG 服务的数据泄露报告（2023 年 11 月 14 日至 2023 年 12 月 8 日） ——数据泄露摘要： 时间：2023年11月14日–2023年12月8日 接受方：Cloudflare公司、ZhaoCloud管理员 内容：所有客户端请求 ——数据披露摘要： 披露对象：1个第三方 关联对象：2个第三方 内容：1条含IP地址的日志（不含请求内容） 强制披露：否 原因：调试 2023 年 11 月 14 日，我关闭了 SearXNG 服务，并设置了一条指向 Cloudflare 上托管页面的 DNS 记录。但是，我忘记了 Cloudflare 的防火墙。如果您向该页面发送搜索请求（通过浏览器搜索栏），Cloudflare 会将该请求视为有害请求，因为它针对的是不存在的资源。您可能曾经看到 Cloudflare 验证码或错误页面。 在此期间，您的所有数据（包括搜索内容、IP 地址和用户代理(User-Agent)）均已发送至 Cloudflare 并由 Cloudflare 记录。 2023年12月8日，我意识到了这个问题，并立即删除了s.zhaocloud.net的DNS记录。我试图找到一种方法来请求 Cloudflare 删除防火墙日志。由于 Cloudflare 对免费计划提供的支持非常有限，而且我没有与他们打交道的经验，因此我最终没有联系他们。 根据我的 Cloudflare 仪表板，日志可以查看两周。我没有导出这些日志，现在无法访问它们。但是，我不知道 Cloudflare 实际上将这些数据保留在其系统中多久。 为了排查问题，我通过 Cloudflare 的 Web 控制台手动查看了多个日志。一些日志被短暂缓存在我的本地计算机上。我没有尝试使用工具解码任何内容，并且不记得任何内容。我与我信任的第三方共享了一份已经删除请求内容的日志。我也打算删除IP地址；我遮盖了一个 IP 地址，但屏幕截图中仍然可见另一个 IP 地址。我的目的是向第三方展示数据格式并寻求帮助。某个即时通讯服务和一个在线 IP 数据库可能可以掌握该 IP 地址。 我深感抱歉。 写于 2024 年 7 月 2026年2月10日编辑并发布 第二版