Open Nav
Sign Up

Cloudflare Endures Sophisticated Breach Tracing Back to Okta Compromise

Bar Refael

February 4, 2024

Cloudflare, a leader in web infrastructure and DDoS protection, fell victim to a sophisticated cyberattack, believed to be the work of a nation-state actor. The attackers sought persistent and widespread access to Cloudflare’s global network, leveraging stolen credentials from a prior Okta support system breach in October 2023. Despite the elaborate intrusion tactics, Cloudflare’s vigilant response and robust security measures limited the attack’s impact, ensuring no customer data or critical system configurations were compromised.

Incident Details:

  • Attack Timeline and Tactics: The threat actor initially accessed Cloudflare’s self-hosted Atlassian server on November 14, 2023, later establishing persistent access and infiltrating Cloudflare’s Confluence, Jira, and Bitbucket systems. Attempts to breach a non-production data center in São Paulo were thwarted.
  • Credential Misuse: The breach was facilitated by one access token and three service account credentials previously stolen during the Okta breach, which Cloudflare had overlooked to rotate.
  • Internal Reconnaissance: The attackers conducted a four-day reconnaissance operation, scoping out Cloudflare’s internal systems and later establishing a rogue Atlassian user account for sustained access.

Security Measures and Response:

  • Immediate Containment: Cloudflare detected the malicious activity on November 23, terminated the threat actor’s access by November 24, and initiated a thorough investigation with CrowdStrike’s assistance.
  • Comprehensive Remediation Efforts: Cloudflare undertook extensive measures including rotating over 5,000 production credentials, segmenting test and staging systems, conducting forensic triages on 4,893 systems, and reimaging and rebooting every machine across its global network, including all accessed systems and Atlassian products.
  • Data Center Security: Equipment in the São Paulo data center was returned to manufacturers to guarantee absolute security, despite the threat actor’s failed access attempts.

Impact and Implications:

  • Limited Operational Impact: Cloudflare emphasized that the breach did not affect customer data, services, or global network systems. The meticulous analysis of accessed documentation and source code indicated the attackers aimed to understand the architecture, security, and management of Cloudflare’s global network.
  • Source Code Exposure: Though the attackers viewed up to 120 code repositories, only 76 were believed to be exfiltrated, focusing on Cloudflare’s backup processes, global network configuration, identity management, remote access, and use of Terraform and Kubernetes.

The Cloudflare breach, executed by leveraging credentials stolen from a previous Okta incident, underscores the persistent risks associated with supply chain attacks and credential management. The incident highlights the critical need for robust credential rotation policies, comprehensive system monitoring, and the importance of swift, coordinated incident response. While Cloudflare’s swift actions and zero-trust security approach significantly mitigated the breach’s impact, the incident serves as a stark reminder of the sophistication of nation-state actors and the continuous threat they pose to global networks and infrastructures.

Stay safe and informed,

OP Innovate.

Resources highlights

High-Severity WordPress Vulnerability in Forminator Plugin (CVE-2025-6463)

A critical vulnerability in the Forminator plugin, one of the most popular form-building plugins in Wordpress, allows unauthenticated attackers to delete arbitrary files on the…

Read more >

CVE-2025-6463

CVE-2025-6554: Chrome V8 Zero-Day Exploited in the Wild

On June 30, 2025, Google issued an emergency patch for a critical zero-day vulnerability in its Chrome browser, tracked as CVE-2025-6554. The flaw resides in…

Read more >

CVE-2025-6554

Critical Cisco ISE Vulnerabilities Lead to Unauthenticated RCE (CVE-2025-20281 & CVE-2025-20282)

On June 25, 2025, Cisco disclosed and patched two critical remote code execution (RCE) vulnerabilities: CVE-2025-20281 and CVE-2025-20282, affecting its widely deployed Identity Services Engine…

Read more >

CVE-2025-20281 & CVE-2025-20282

Critical Vulnerability in MegaRAC BMC Added to CISA’s KEV: CVE-2024-54085

On June 25, 2025, CISA added CVE‑2024‑54085, a critical authentication bypass vulnerability in the MegaRAC SPx Baseboard Management Controller (BMC) firmware, to its Known Exploited…

Read more >

CVE-2024-54085

‘UMBRELLA STAND’ Malware Targets Fortinet FortiGate Firewalls

‘UMBRELLA STAND’ Malware Targets Fortinet FortiGate Firewalls The UK’s National Cyber Security Centre (NCSC) has issued an alert regarding a sophisticated malware campaign dubbed “UMBRELLA…

Read more >

umbrella stand fortinet

CVE-2025-49144: Privilege Escalation in Notepad++ Installer Enables Full SYSTEM Access

A critical local privilege escalation vulnerability in the Notepad++ v8.8.1 installer allows attackers to escalate to NT AUTHORITY\SYSTEM using binary planting techniques. Tracked as CVE-2025-49144,…

Read more >

CVE-2025-49144
Under Cyber Attack?

Fill out the form and we will contact you immediately.