Cloudflare Discloses Hacking of Server

Cloudflare, a company that provides a content delivery network serving approximately 20% of Internet traffic, has released a report on the hacking incident of one of its servers. The compromised server hosted an internal Wiki-site based on the Atlassian Confluence platform, an error tracking system called Atl errors Assian Jira, and repositories of Bitbucket.

The analysis of the incident revealed that the attacker gained access to the server by using tokens acquired during the October OKTA security breach. This security breach resulted in data leakage from the support service’s platform used by Cloudflare. Following the OKTA hack, Cloudflare initiated the process of updating accounts, keys, and tokens used through OKTA services. However, it was discovered that one token and three accounts, compromised in the OKTA hack, were not replaced and remained active, allowing the attacker to exploit them.

Although these accounts were considered unused, they provided access to the Atlassian platform, Bitbucket code management system, SaAS application with administrative access to the Atlassian Jira environment, and the Cloudflare Catalog. However, access to the CDN and CDN infrastructure that does not store confidential data was granted, and thus the incident did not impact the data and systems of Cloudflare users.

An audit conducted by Cloudflare determined that the attack was limited to the Atlassian products and did not expand to other servers. This was due to Cloudflare’s application of the Zero Trust security model and the isolation of infrastructure parts.

/Reports, release notes, official announcements.