Cloudflare Data Breach – November 2023

Cloudflare has shared a data breach incident that happened on 23 November 2023. The details of the data breach incident are shared below.

Salient points

  • Cloudflare detected the presence of a threat actor on its Atlassian server on 23 November 2023.
  • On 26 November 2023, Cloudflare initiated a forensic audit with the help of the Crowdstrike team.
  • All threat actor access and connections were terminated on November 24 and CrowdStrike has confirmed that the last evidence of threat activity was on November 24 at 10:44.
  • The said attack happened because of one access token and three service account credentials. These credentials were compromised after the Okta ransomware attack on Cloudflare that happened on 18 October 2023.
  • Between November 14 to 17, a threat actor did reconnaissance and then accessed the internal wiki (which uses Atlassian Confluence) and bug database (Atlassian Jira) of Cloudflare.
  • On November 22, the threat actor established persistent access to the Atlassian server using ScriptRunner for Jira, gained access to the Cloudflare source code management system (which uses Atlassian Bitbucket), and tried, unsuccessfully, to access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil.
  • Cloudflare believes that this attack was carried out by a nation state attacker with the goal of obtaining persistent and widespread access to Cloudflare’s global network.
  • The threat actor was able to access Cloudflare’s wiki, bug database issues, and source code repositories.

Remediation efforts by Cloudflare

  • The attack was first detected on 23 November 2023.
  • Immediately, the Smartsheet service account and the Atlassian user account associated with the threat actor were removed.
  • The attacker’s source IP address range was blocked on the firewall to thwart any future attempts at accessing the network or the Atlassian server.
  • The attack’s source IP address range indicates that it was carried out from datacenters in Romania and UK.
  • On November 24 2023, the last known threat activity was noticed.
  • The access and attack ended on November 24 2023.

What data was breached?

  • Cloudflare has confirmed that no customer data was accessed by the threat actor.
  • Evidence from the forensic audit suggests that the threat actor did not get access to Cloudlfare’s global network, data centers, SSL keys, customer databases or configuration information,
  • The threat actor was not able to access the Cloudflare Workers deployed by Cloudflare or its customers, AI models, network infrastructure, or any of the datastores like Workers KV, R2 or Quicksilver.
  • The threat actor’s access was limited to the Atlassian suite and the Atlassian server.
  • 120 code repositories of Cloudflare were accessed by the threat actor. 76 of these code repositories are believed to have been downloaded and exfiltrated by the threat actor.
  • The compromised repositories included information about how backups work, how the global network is configured and managed, how identity works at Cloudflare, remote access, and Cloudflare’s use of Terraform and Kubernetes.
  • A small number of the repositories contained encrypted secrets which were rotated immediately even though they were strongly encrypted themselves.

You can read more about the security incident on Cloudflare’s blog.

How useful was this post?

Click on a star to rate it!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.