Cloudflare experienced a security breach on November 14, 2023 [6], when unauthorized individuals gained access to their internal systems. This breach involved compromised credentials from a previous breach of Okta, which were not revoked by Cloudflare. However, thanks to Cloudflare’s Zero Trust tools [3], no customer data or systems were compromised [1] [2] [3] [4] [5].


The breach specifically targeted Cloudflare’s Confluence wiki, Jira database [6], and Bitbucket source code system [2] [6]. The attackers were active from November 14 to 24 [3], attempting to gain insights into Cloudflare’s network architecture and security [3]. They accessed Cloudflare’s internal wiki and bug database [1] [5] [7], and also attempted to access a console server in São Paulo [1], Brazil [1] [2] [7]. The attack was believed to be orchestrated by a suspected ‘nation-state attacker’ and was stopped on November 24. Cloudflare immediately launched an investigation with the assistance of CrowdStrike [2]. Remediation efforts included rotating all production credentials [6], segmenting test and staging systems [2] [6], and conducting extensive forensic analysis.


Cloudflare’s security team successfully cut off the attackers’ access and terminated all connections. The company credited its access controls [7], firewall rules [1] [7], and hard security keys for limiting the threat actor’s lateral movement [7]. The impact of the incident was limited [7], as no customer data or services were affected [2] [4] [5] [7], and no changes were made to Cloudflare’s global network systems [7]. However, this breach serves as a reminder of the importance of maintaining strict secrets security and the dangers of secrets sprawl, even for businesses with high security measures in place [6]. Cloudflare is prepared to defend against future attacks and continues to prioritize the protection of its systems and customer data.