Friday , July 10 2026
Cloudflare

Cloudflare Blog
Cloudflare hacked using auth tokens stolen in Okta attack

Cloudflare disclosed that its internal Atlassian server was breached by a suspected ‘nation-state attacker’. The attacker gained access to Cloudflare’s Confluence wiki, Jira bug database, and Bitbucket source code management system.

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh. In an advisory CIRT said, the campaign has been observed globally,...
Read More
CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

Thousands of MCP Servers Exposed to File Access and Injection Attacks

Thousands of Model Context Protocol (MCP) servers have serious security flaws like file access issues, command injection, server-side request forgery...
Read More
Thousands of MCP Servers Exposed to File Access and Injection Attacks

CERT/CC Alerts to Hidden Admin Backdoor in Tenda Router Firmware

Several Tenda firmware versions have a hidden backdoor that lets people gain admin access to the device's web interface. An...
Read More
CERT/CC Alerts to Hidden Admin Backdoor in Tenda Router Firmware

Daily Cyber security update for 6. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 6. 07. 2026

“Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers, Android Devices

A new Linux flaw called “Bad Epoll” (CVE-2026-46242) lets regular users get root access on Linux servers, desktops, and Android...
Read More
“Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers, Android Devices

An AI performed a cyber attack without any human help for the first time

Security experts found what they think is the first time an AI carried out a cyber attack all by itself....
Read More
An AI performed a cyber attack without any human help for the first time

The attacker first accessed Cloudflare’s self-hosted Atlassian server on November 14, and then accessed the company’s Confluence and Jira systems after gathering information.

“They then returned on November 22 and established persistent access to our Atlassian server using ScriptRunner for Jira, gained access to our source code management system (which uses Atlassian Bitbucket), and tried, unsuccessfully, to access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil,” said Cloudflare CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas,

Using stolen access credentials from a previous breach linked to Okta’s compromise in October 2023, the attackers gained unauthorized entry by utilizing one access token and three service account credentials. Cloudflare failed to update these credentials, which were leaked alongside thousands of others during the Okta breach.

Cloudflare detected malicious activity on November 23. They blocked the hacker’s access on the morning of November 24. Their cybersecurity forensics team started investigating the incident on November 26, three days later.

Cloudflare’s staff took several security measures in response to the incident. They changed over 5,000 production credentials and separated the test and staging systems. They also investigated 4,893 systems, reimaged and rebooted all systems on the global network, including Atlassian servers and machines accessed by the attacker.

The hackers tried to break into Cloudflare’s data center in São Paulo, but they failed. All equipment in the center was sent back to the manufacturers to make sure it was completely secure.

     Source: Cloudflare

Remediation efforts ended on January 5th. The company’s staff is still working on strengthening software, managing credentials, and vulnerabilities.

The company assures that this breach did not affect any customer data or systems of Cloudflare. Additionally, their services, global network systems, and configuration were not impacted either.

“Even though we understand the operational impact of the incident to be extremely limited, we took this incident very seriously because a threat actor had used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code,” said Prince, Graham-Cumming, and Bourzikas.

Check Also

MCP Servers

Thousands of MCP Servers Exposed to File Access and Injection Attacks

Thousands of Model Context Protocol (MCP) servers have serious security flaws like file access issues, …