Cloudflare hacked — company reveals details of November 2023 cyberattack, blames previous Okta breach

Homepage of CloudFlare website on the display of PC, url - CloudFlare.com.

(Image credit: Shutterstock/Sharaf Maksumov)

Cloudflare is laying the blame for the cyberattack it suffered late last year the after-effects of the critical Okta breach.

The content delivery service provider has published a blog post detailing the cybersecurity incident it suffered on Thanksgiving Day 2023, noting that on November 23, 2023, a threat actor accessed the company’s self-hosted Atlassian server.

Cloudflare’s security team quickly spotted the incursion and cut the attackers off. However, subsequent investigation revealed that the attackers managed to access Cloudflare’s endpoints by using credentials that were compromised in the Okta breach that happened a month earlier.

Stealing source code

For those needing a refresher, hackers broke into Okta in October 2023 and stole client session cookies, which gave them access to those companies’ networks.

They were able to do so by obtaining login credentials for Okta’s support case management system. While initially the company believed the incident affected 1% of its client base, further investigation uncovered that all of its clients were affected.

Despite limited access due to Cloudflare's security measures, the threat actor managed to infiltrate the Atlassian environment, accessing “some documentation and a limited amount of source code”.

No customer data or systems were compromised, and Cloudflare's Zero Trust tools helped contain lateral movement, the company further explained. The threat actor's activity was traced from November 14 to 24, during which they accessed internal systems, performed reconnaissance, and attempted to establish persistent access. The attacker's focus was on gaining insights into Cloudflare's network architecture and security.

In response, Cloudflare launched a "Code Red" remediation effort, involving the rotation of over 5,000 credentials, forensic analysis of systems, and a thorough review of security protocols. Hackers were ousted on November 24, Cloudflare added, saying CrowdStrike provided independent validation of the claims.

The company believes the attack was orchestrated by a nation-state, as it was “methodical and thoughtful”, but did not say which one.

An Okta spokesperson told TechRadar Pro, "This is not a new incident or disclosure on the part of Okta. On October 19th, we notified customers, shared guidance to rotate credentials, and provided indicators of compromise (IoCs) related to the October security incident. We can't comment on our customers' security remediations."

More from TechRadar Pro

CISA is now warning government agencies to patch Ivanti flaws immediately
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.