Private messages exchanged on dating sites, hotel bookings and frames from adult videos were among the data inadvertently exposed by a bug discovered in the Cloudflare network.
The firm protects websites by routing their traffic through its own network, filtering out hack attacks.
It has 4 million clients, including banks, governments and shopping sites.
Customers wouldn’t necessarily know which of the online services they use run on Cloudflare as it is not visible.
The bug came to light while Cloudflare was migrating from older to newer software between 13 – 18 February.
Chief operating officer John Graham-Cumming said it was likely that in the last week, around 120,000 web pages per day may have contained some unencrypted private data, along with other junk text, along the bottom.
He told the BBC there was no evidence yet that the data had been used maliciously.
“I can’t tell you it’s zero probability that nobody saw something and did something mischievous,” he said.
“I am not changing any of my passwords. I think the probability that somebody saw something is so low it’s not something I am concerned about.”
