Cloudflare hacked using auth tokens stolen in Okta attack

Cloudflare disclosed today that its internal Atlassian server was breached by a ‘nation state’ attacker who accessed its Confluence wiki, Jira bug database, and Atlassian Bitbucket source code management system.

“They then returned on November 22 and established persistent access to our Atlassian server using ScriptRunner for Jira, gained access to our source code management system, and tried, unsuccessfully, to access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil,” Cloudflare said.

To access its systems, the attackers used one access token and three service account credentials stolen during a previous compromise linked to Okta’s breach from October 2023 that Cloudflare failed to rotate.

“Even though we understand the operational impact of the incident to be extremely limited, we took this incident very seriously because a threat actor had used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code,” Cloudflare said.

On October 18, 2023, Cloudflare’s Okta instance was breached using an authentication token stolen from Okta’s support system.

Following the incident, the company said that its Security Incident Response Team’s quick response contained and minimized the impact on Cloudflare systems and data and that no Cloudflare customer information or systems were impacted.

Share this article on social media:

Subscribe to Our Newsletter!
Stay on top of cybersecurity risks, evolving threats and industry news.
This field is for validation purposes and should be left unchanged.

Recent News

Featured Services

The Latest Cybersecurity News

From major cyberattacks, newly discovered critical vulnerabilities to recommended best practices, read it here first:

BOOK A MEETING

Enter your Email Address

This field is for validation purposes and should be left unchanged.

* No free email provider (e.g: gmail.com, hotmail.com, etc.)

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.