CloudFare breach cause for concern (updated)
Given the number of hacks revealed on a daily basis, I long ago gave up on trying to mention them all on this blog, but this one merits its own entry.
Eduard Kovacs reports that although CloudFare has acknowledged it was compromised, the co-founder and CEO may not be correct in his understanding of the breach:
“This morning a hacker was able to access a customer’s account on CloudFlare and change that customer’s DNS records. The attack was the result a compromise of Google’s account security procedures that allowed the hacker to eventually access to my CloudFlare.com email addresses, which runs on Google Apps,” Prince explained.
He believes that the attackers somehow “convinced” Google’s account recovery process to add an arbitrary recovery email address to his personal Gmail account.
“The password used on my personal Gmail account was 20+ characters long, highly random, and not used by me on any other services so it’s unlikely it was dictionary attacked or guessed,” he added.
The most interesting fact, according to Prince, is that his account had been protected with a two-factor authentication system.
After analyzing the incident, Google’s security team has determined that “a subtle flaw in the recovery flow” of certain accounts allowed the hackers to compromise the account.
But the hackers involved claim that that’s not what happened:
“We got into their main server. We could see all customer account information, name, IP address, payment method, paid with, user ID, etc. and had access to reset any account on CloudFlare,” he said.
Furthermore, the hackers plan on selling all the information they obtained on Darkode.
This type of hack – where the hackers intend to sell the data they acquired – takes things to a whole other level. If you’ve used Cloudfare, you should probably be taking steps immediately to protect your accounts. And if the hackers are truthful – that this had nothing to do with Google’s two-factor authentication – then it may mean that CloudFare is still insecure or vulnerable to a repeat compromise, which could affect the company’s ability to earn existing and potentially new customers’ trust.
Hopefully, CloudFare will respond to the hackers’ assertions with an update to their blog.
Update: CloudFare updated their blog with a more detailed explanation of how the information may have been obtained and it’s not quite what they thought originally, but kudos to them on their disclosure of social engineering so that everyone can learn how to protect themselves better.