Open Nav
Sign Up

Cloudflare Endures Sophisticated Breach Tracing Back to Okta Compromise

Bar Refael

February 4, 2024

Cloudflare, a leader in web infrastructure and DDoS protection, fell victim to a sophisticated cyberattack, believed to be the work of a nation-state actor. The attackers sought persistent and widespread access to Cloudflare’s global network, leveraging stolen credentials from a prior Okta support system breach in October 2023. Despite the elaborate intrusion tactics, Cloudflare’s vigilant response and robust security measures limited the attack’s impact, ensuring no customer data or critical system configurations were compromised.

Incident Details:

  • Attack Timeline and Tactics: The threat actor initially accessed Cloudflare’s self-hosted Atlassian server on November 14, 2023, later establishing persistent access and infiltrating Cloudflare’s Confluence, Jira, and Bitbucket systems. Attempts to breach a non-production data center in São Paulo were thwarted.
  • Credential Misuse: The breach was facilitated by one access token and three service account credentials previously stolen during the Okta breach, which Cloudflare had overlooked to rotate.
  • Internal Reconnaissance: The attackers conducted a four-day reconnaissance operation, scoping out Cloudflare’s internal systems and later establishing a rogue Atlassian user account for sustained access.

Security Measures and Response:

  • Immediate Containment: Cloudflare detected the malicious activity on November 23, terminated the threat actor’s access by November 24, and initiated a thorough investigation with CrowdStrike’s assistance.
  • Comprehensive Remediation Efforts: Cloudflare undertook extensive measures including rotating over 5,000 production credentials, segmenting test and staging systems, conducting forensic triages on 4,893 systems, and reimaging and rebooting every machine across its global network, including all accessed systems and Atlassian products.
  • Data Center Security: Equipment in the São Paulo data center was returned to manufacturers to guarantee absolute security, despite the threat actor’s failed access attempts.

Impact and Implications:

  • Limited Operational Impact: Cloudflare emphasized that the breach did not affect customer data, services, or global network systems. The meticulous analysis of accessed documentation and source code indicated the attackers aimed to understand the architecture, security, and management of Cloudflare’s global network.
  • Source Code Exposure: Though the attackers viewed up to 120 code repositories, only 76 were believed to be exfiltrated, focusing on Cloudflare’s backup processes, global network configuration, identity management, remote access, and use of Terraform and Kubernetes.

The Cloudflare breach, executed by leveraging credentials stolen from a previous Okta incident, underscores the persistent risks associated with supply chain attacks and credential management. The incident highlights the critical need for robust credential rotation policies, comprehensive system monitoring, and the importance of swift, coordinated incident response. While Cloudflare’s swift actions and zero-trust security approach significantly mitigated the breach’s impact, the incident serves as a stark reminder of the sophistication of nation-state actors and the continuous threat they pose to global networks and infrastructures.

Stay safe and informed,

OP Innovate.

Resources highlights

CVE-2025-49144: Privilege Escalation in Notepad++ Installer Enables Full SYSTEM Access

A critical local privilege escalation vulnerability in the Notepad++ v8.8.1 installer allows attackers to escalate to NT AUTHORITY\SYSTEM using binary planting techniques. Tracked as CVE-2025-49144,…

Read more >

CVE-2025-49144

Our Red Team’s Favorite Penetration Testing Tools in 2025 (And How We Use Them)

When it comes to red team operations, the tools you choose can make or break the engagement. From initial reconnaissance to post-exploitation, having a streamlined,…

Read more >

pentesting tools - op

New Linux Vulnerabilities (CVE-2025-6018 & CVE-2025-6019) Enable Full Root Access in Seconds

Security researchers have uncovered a critical privilege escalation chain in major Linux distributions that allows any local user with a session (SSH or GUI) to…

Read more >

CVE-2025-6018, CVE-2025-6019

Zero to Hero: How Our Red Team Turned a Sticky Note Into Full Cloud Compromise

“The weakest link in your security chain might be sitting right on your desk.” At OP Innovate, our CREST-certified red team is trained to think…

Read more >

OP Innovate Red Team

One-Third of All Grafana Instances Vulnerable to XSS (CVE-2025-4123)

Over 46,000 internet-facing Grafana servers (≈36 % of those online) are still running versions susceptible to CVE-2025-4123, a high-severity open-redirect that chains into stored cross-site…

Read more >

CVE-2025-4123

New Microsoft Outlook Vulnerability Enables Local Code Execution (CVE-2025-47176)

Published: June 11, 2025 Threat Level: High Affected Product: Microsoft Outlook (Microsoft 365 Apps for Enterprise, Office LTSC 2024) CVSS Score: 7.8 (High) A newly…

Read more >

CVE-2025-47176
Under Cyber Attack?

Fill out the form and we will contact you immediately.