Cloudflare experienced a security breach on November 14, 2023 [6], when unauthorized individuals gained access to their internal systems. This breach involved compromised credentials from a previous breach of Okta, which were not revoked by Cloudflare. However, thanks to Cloudflare’s Zero Trust tools [3], no customer data or systems were compromised [1] [2] [3] [4] [5].

Description

The breach specifically targeted Cloudflare’s Confluence wiki, Jira database [6], and Bitbucket source code system [2] [6]. The attackers were active from November 14 to 24 [3], attempting to gain insights into Cloudflare’s network architecture and security [3]. They accessed Cloudflare’s internal wiki and bug database [1] [5] [7], and also attempted to access a console server in São Paulo [1], Brazil [1] [2] [7]. The attack was believed to be orchestrated by a suspected ‘nation-state attacker’ and was stopped on November 24. Cloudflare immediately launched an investigation with the assistance of CrowdStrike [2]. Remediation efforts included rotating all production credentials [6], segmenting test and staging systems [2] [6], and conducting extensive forensic analysis.

Conclusion

Cloudflare’s security team successfully cut off the attackers’ access and terminated all connections. The company credited its access controls [7], firewall rules [1] [7], and hard security keys for limiting the threat actor’s lateral movement [7]. The impact of the incident was limited [7], as no customer data or services were affected [2] [4] [5] [7], and no changes were made to Cloudflare’s global network systems [7]. However, this breach serves as a reminder of the importance of maintaining strict secrets security and the dangers of secrets sprawl, even for businesses with high security measures in place [6]. Cloudflare is prepared to defend against future attacks and continues to prioritize the protection of its systems and customer data.

References

[1] https://blog.cloudflare.com/thanksgiving-2023-security-incident
[2] https://securityaffairs.com/158504/hacking/cloudflare-thanksgiving-day-attack.html
[3] https://www.techradar.com/pro/security/cloudflare-hacked-company-reveals-details-of-november-2023-cyberattack-blames-previous-okta-breach
[4] https://www.infosecurity-magazine.com/news/cloudflare-breach-stolen-okta/
[5] https://www.techtarget.com/searchsecurity/news/366568694/Cloudflare-discloses-breach-related-to-stolen-Okta-data
[6] https://blog.gitguardian.com/the-secrets-out-how-stolen-auth-tokens-led-to-cloudflare-breach/
[7] https://www.msspalert.com/news/cloudflare-hit-again-by-okta-breach-atlassian-server-compromised