Account compromised or cloudflare hacked?

Around 2/2/2024 through 2/5/2024 I noticed changes being made to my DNS records but it looks like it was done through the API rather than the site. I never use the API and some of the changes occurred not long after I logged on but also on days that I did not log on so whomever it was had persistence. On the first day in question I was looking around the web site and notice odd javascript errors being displayed near the bottom of my browser. I use the latest Firefox. Other than the odd errors everything else worked fine with the site. I have since changed my password and generated new API keys just to be safe. Please let me know if anyone else sees odd activity in their audit logs. Also, let me know if I should post some of the usual activity from the audit log here. Also note all the changes came from private intranet IP addresses making me think either someone at cloudflare made the changes or a system inside cloudflare’s network has been compromised.

Hi there,

Sorry for the issues you facing.

Happy to take a look if you are able to share some of the audit logs you noticed and give my thoughts.
For security you can censor the hostname’s of your site etc from the logs, but would be interested to see the event type and IP address etc. Cloudflare does not make changes on customers accounts typically, we do have some automated processes that run (eg. deleting zones in moved status, purging deleted zones etc) and these generally show as being made by 127.0.0.1 localhost on Cloudflare.

If you believe your account may have been compromised, you have done the right thing to cycle your password, change API keys.

I would also recommend implementing two factorr if you have not done so, and also view any active sessions for the dashboard and revoke any you are unsure about.

regards,

1 Like

Hello,
Thanks for getting back to me especially if you work for cloudflare this log should be very interesting. If your internal IP is usually 127.0.0.1 loopback then someone was doing something to my account for sure and from an intranet IP range starting with 172.18.* which should probably be blocked by cloudflare’s firewall. If that IP range is not used internally to cloudflare your service has been compromised since my IP is from my ISP. Also, I did not log on at all on 2/4/2024 yet someone was making changes even on 2/5/2024 just before I logged on and noticed the odd activity. I immediately changed my password and changed the API keys even though I have never used them. I had 2fa already on and I always log off of every session even though the audit log does not seem to show logoffs. I’m usually on the site for no longer than 10 minutes. My OS and browser are up to date yet on 2/2/2024 I noticed odd javascript errors being displayed near the bottom of the browser. I have never seen that with any other site and use the same browser for at least 20 sites without such odd errors. If there are javascript issues that caused any type of compromise it seems like an issue on cloudflare’s website code side. Below is a redacted version of the audit log for the period in question. My email, name and domain names have all been modified along with my IP but the hacker or whomever’s IP is visible. I also had to remove the new-values since there is a limit to how long a comment on here can be. Note I did not order any certificates, subdomains, or modify any DNS records between 2/2-2/5. My DNS records currently appear normal last I checked making this all even more strange:

Time	Action	Actor Type	Actor IP	Resource Type	Interface	Metadata	OldValue
2024-02-05T21:28:17Z	login	user	legit	account		{"actor_email":"db2024"}	
2024-02-05T19:57:50Z	deployed	system		certificate_pack		{"zone_name":"mydomain","zone_tag":"259f9d54f6ea1c3fdc07216e5cf1b95e"}	{"id": "fe747cfb-9142-40ae-b506-6e85eea64611", "sans": ["mydomain", "*.mydomain"], "type": "universal", "hosts": ["mydomain", "*.mydomain"], "status": "pending_deployment", "qs_mode": 0, "zone_id": "259f9d54f6ea1c3fdc07216e5cf1b95e", "priority": 0, "created_at": "2023-12-08T18:55:16.518314Z", "modified_on": "2024-02-05T19:57:49.327579Z", "certificates": [{"id": "ff6e0cee-9355-43b8-a8ba-6e290ac31556", "hosts": ["mydomain", "*.mydomain"], "issuer": "LetsEncrypt", "status": "pending_deployment", "zone_id": "259f9d54f6ea1c3fdc07216e5cf1b95e", "priority": null, "signature": "ECDSAWithSHA384", "expires_on": "2024-05-05T18:57:46Z", "modified_on": "2024-02-05T19:57:49.327579Z", "uploaded_on": null, "bundle_method": "ubiquitous", "serial_number": "372672458239321655907182445094834021414069"}], "dedicated_ips": false, "validity_days": 90, "qs_mode_desired": null, "validation_method": "txt", "qs_mode_changed_at": null, "primary_certificate": "ff6e0cee-9355-43b8-a8ba-6e290ac31556", "certificate_authority": "lets_encrypt_account_1"}
2024-02-05T19:57:49Z	ordered	system		certificate_pack		{"zone_name":"mydomain","zone_tag":"259f9d54f6ea1c3fdc07216e5cf1b95e"}	{"id": "fe747cfb-9142-40ae-b506-6e85eea64611", "sans": ["mydomain", "*.mydomain"], "type": "universal", "hosts": ["*.mydomain", "mydomain"], "status": "pending_validation", "qs_mode": 0, "zone_id": "259f9d54f6ea1c3fdc07216e5cf1b95e", "brand_id": null, "priority": 0, "authority": "lets_encrypt_account_1", "modified_on": "2024-02-05T19:56:32.752609Z", "certificates": [{"id": "c4b26664-53fd-4d89-872a-44339d2e323d", "issuer": "LetsEncrypt", "issued_on": "2023-12-08T17:57:45Z", "signature": "ECDSAWithSHA384", "expires_on": "2024-03-07T17:57:44Z", "serial_number": "264875061928456004890988727595619872212956", "fingerprint_sha256": "1b0140f2cc6eab0b60670363c1898fde4209e64294bba005a65147e466445f04"}], "bundle_method": "ubiquitous", "dedicated_ips": false, "validity_days": 90, "qs_mode_desired": null, "validation_type": "dv", "validation_method": "txt", "qs_mode_changed_at": null, "validation_records": [{"status": "processing", "txt_name": "_acme-challenge.mydomain", "txt_value": "NswcxBhNqYu4Xm6GnzQHTDR7hSYQUshzMq6rjpUfYLw"}, {"status": "processing", "txt_name": "_acme-challenge.mydomain", "txt_value": "M9F3oIDE-Zk4lfWMCprDlSlVEc3BLBUE_xAY7racqSI"}]}
2024-02-05T19:57:49Z	delete	system		dns.record	API	{}	
2024-02-05T19:57:49Z	delete	system		dns.record	API	{}	
2024-02-05T19:56:32Z	created	system		certificate_pack		{"zone_name":"mydomain","zone_tag":"259f9d54f6ea1c3fdc07216e5cf1b95e"}	
2024-02-05T19:56:32Z	create	system		dns.record	API	{}	
2024-02-05T19:56:32Z	create	system		dns.record	API	{}	
2024-02-04T21:40:21Z	deployed	system		certificate_pack		{"zone_name":"myBdomain","zone_tag":"e17bff755a78e7502eccbd2e5e98bf98"}	{"id": "ebc69405-7f56-432b-a2b5-93eb52295997", "sans": ["myBdomain", "*.myBdomain"], "type": "universal", "hosts": ["myBdomain", "*.myBdomain"], "status": "pending_deployment", "qs_mode": 0, "zone_id": "e17bff755a78e7502eccbd2e5e98bf98", "priority": 0, "created_at": "2023-12-07T21:26:26.638455Z", "modified_on": "2024-02-04T21:40:19.27147Z", "certificates": [{"id": "db899582-7150-43a7-944b-6048cf5548e2", "hosts": ["myBdomain", "*.myBdomain"], "issuer": "LetsEncrypt", "status": "pending_deployment", "zone_id": "e17bff755a78e7502eccbd2e5e98bf98", "priority": null, "signature": "ECDSAWithSHA384", "expires_on": "2024-05-04T20:40:17Z", "modified_on": "2024-02-04T21:40:19.27147Z", "uploaded_on": null, "bundle_method": "ubiquitous", "serial_number": "310165925766527947744504829895855134352877"}], "dedicated_ips": false, "validity_days": 90, "qs_mode_desired": null, "validation_method": "txt", "qs_mode_changed_at": null, "primary_certificate": "db899582-7150-43a7-944b-6048cf5548e2", "certificate_authority": "lets_encrypt_account_1"}
2024-02-04T21:40:19Z	ordered	system		certificate_pack		{"zone_name":"myBdomain","zone_tag":"e17bff755a78e7502eccbd2e5e98bf98"}	{"id": "ebc69405-7f56-432b-a2b5-93eb52295997", "sans": ["myBdomain", "*.myBdomain"], "type": "universal", "hosts": ["*.myBdomain", "myBdomain"], "status": "pending_validation", "qs_mode": 0, "zone_id": "e17bff755a78e7502eccbd2e5e98bf98", "brand_id": null, "priority": 0, "authority": "lets_encrypt_account_1", "modified_on": "2024-02-04T21:38:08.488237Z", "certificates": [{"id": "2dae35d8-881c-4547-ae9c-6474159c7091", "issuer": "LetsEncrypt", "issued_on": "2023-12-07T20:29:00Z", "signature": "ECDSAWithSHA384", "expires_on": "2024-03-06T20:28:59Z", "serial_number": "420120516540986233770276904482936858809433", "fingerprint_sha256": "31788efc27dce555232d902f231e92f562365b4d627f99d6ab456f4459b1d378"}], "bundle_method": "ubiquitous", "dedicated_ips": false, "validity_days": 90, "qs_mode_desired": null, "validation_type": "dv", "validation_method": "txt", "qs_mode_changed_at": null, "validation_records": [{"status": "valid", "txt_name": "_acme-challenge.myBdomain", "txt_value": "JCxUMVTt_74ED95S96spMfgNSHFfZwaJ6_WX60At8H4"}, {"status": "processing", "txt_name": "_acme-challenge.myBdomain", "txt_value": "788cYZraWtHvEK786A7NFPQ2nZElZMoGIK11hHaNnrA"}]}
2024-02-04T21:40:19Z	delete	system		dns.record	API	{}	
2024-02-04T21:40:19Z	delete	system		dns.record	API	{}	
2024-02-04T21:40:19Z	create	system		dns.record	API	{}	
2024-02-04T21:40:19Z	delete	system		dns.record	API	{}	
2024-02-04T21:38:08Z	created	system		certificate_pack		{"zone_name":"myBdomain","zone_tag":"e17bff755a78e7502eccbd2e5e98bf98"}	
2024-02-04T21:38:08Z	create	system		dns.record	API	{}	
2024-02-04T21:38:08Z	create	system		dns.record	API	{}	
2024-02-03T01:39:50Z	backup_issued	system		certificate_pack		{"zone_name":"wispy-darkness-01c0.workers.dev"}	{"id": "5495cc21-80be-4300-8e7e-19031186277f", "sans": ["wispy-darkness-01c0.workers.dev", "*.wispy-darkness-01c0.workers.dev"], "type": "universal", "backup": true, "status": "pending_validation", "qs_mode": 0, "zone_id": "5925ea4563a976529c888512840105ff", "brand_id": null, "priority": 0, "authority": "sectigo", "modified_on": "2024-02-02T18:26:42.120616Z", "bundle_method": "ubiquitous", "dedicated_ips": false, "validity_days": 90, "qs_mode_desired": null, "validation_type": "dv", "validation_method": "txt", "qs_mode_changed_at": null, "validation_records": [{"status": "valid", "txt_name": "_acme-challenge.wispy-darkness-01c0.workers.dev", "txt_value": "TLpA21273_bdR_Q8uUMTB24W85w9CuBos8oGXvSxSzo"}, {"status": "processing", "txt_name": "_acme-challenge.wispy-darkness-01c0.workers.dev", "txt_value": "Ocw_30aIUo_w-5s7XOJAX_kA_2eBmEieu-MjkNbC4MY"}]}
2024-02-03T01:39:50Z	delete	system		dns.record	API	{}	
2024-02-03T01:39:50Z	delete	system		dns.record	API	{}	
2024-02-03T01:39:50Z	create	system		dns.record	API	{}	
2024-02-03T01:39:50Z	delete	system		dns.record	API	{}	
2024-02-02T18:32:08Z	deployed	system		certificate_pack		{"zone_name":"wispy-darkness-01c0.workers.dev"}	{"id": "91d39b61-eecb-42c0-a573-023f36d0ae05", "sans": ["wispy-darkness-01c0.workers.dev", "*.wispy-darkness-01c0.workers.dev"], "type": "universal", "hosts": ["wispy-darkness-01c0.workers.dev", "*.wispy-darkness-01c0.workers.dev"], "status": "pending_deployment", "qs_mode": 0, "zone_id": "5925ea4563a976529c888512840105ff", "priority": 0, "created_at": "2024-02-02T18:26:35.842859Z", "modified_on": "2024-02-02T18:32:07.010492Z", "certificates": [{"id": "d890580c-4cb6-4254-9d5c-029da27d6dfb", "hosts": ["wispy-darkness-01c0.workers.dev", "*.wispy-darkness-01c0.workers.dev"], "issuer": "LetsEncrypt", "status": "pending_deployment", "zone_id": "5925ea4563a976529c888512840105ff", "priority": null, "signature": "ECDSAWithSHA384", "expires_on": "2024-05-02T17:32:04Z", "modified_on": "2024-02-02T18:32:07.010492Z", "uploaded_on": null, "bundle_method": "ubiquitous", "serial_number": "434676617822651379893234618661613754329453"}], "dedicated_ips": false, "validity_days": 90, "qs_mode_desired": null, "validation_method": "txt", "qs_mode_changed_at": null, "primary_certificate": "d890580c-4cb6-4254-9d5c-029da27d6dfb", "certificate_authority": "lets_encrypt_account_1"}
2024-02-02T18:32:07Z	ordered	system		certificate_pack		{"zone_name":"wispy-darkness-01c0.workers.dev"}	{"id": "91d39b61-eecb-42c0-a573-023f36d0ae05", "sans": ["wispy-darkness-01c0.workers.dev", "*.wispy-darkness-01c0.workers.dev"], "type": "universal", "status": "pending_validation", "qs_mode": 0, "zone_id": "5925ea4563a976529c888512840105ff", "brand_id": null, "priority": 0, "authority": "lets_encrypt_account_1", "modified_on": "2024-02-02T18:29:45.035417Z", "bundle_method": "ubiquitous", "dedicated_ips": false, "validity_days": 90, "qs_mode_desired": null, "validation_type": "dv", "validation_method": "txt", "qs_mode_changed_at": null, "validation_records": [{"status": "valid", "txt_name": "_acme-challenge.wispy-darkness-01c0.workers.dev", "txt_value": "63e876IxwOsK19woC3WLK1SfAAtFv31RL6bQoVBPzgI"}, {"status": "processing", "txt_name": "_acme-challenge.wispy-darkness-01c0.workers.dev", "txt_value": "xpTwfYanGNGl1O-sHj3C1to18kI8tagZFuhhRFUlACw"}]}
2024-02-02T18:32:06Z	delete	system		dns.record	API	{}	
2024-02-02T18:32:06Z	delete	system		dns.record	API	{}	
2024-02-02T18:32:06Z	create	system		dns.record	API	{}	
2024-02-02T18:32:06Z	delete	system		dns.record	API	{}	
2024-02-02T18:30:55Z	create	system		dns.record	API	{}	
2024-02-02T18:30:55Z	delete	system		dns.record	API	{}	
2024-02-02T18:29:45Z	create	system		dns.record	API	{}	
2024-02-02T18:29:45Z	create	system		dns.record	API	{}	
2024-02-02T18:29:45Z	delete	system		dns.record	API	{}	
2024-02-02T18:29:45Z	delete	system		dns.record	API	{}	
2024-02-02T18:26:42Z	subdomain_registered	user	looks-ok-but-did-not-do	workers_subdomain		{"actor_email":"db2024","subdomain":"wispy-darkness-01c0"}	
2024-02-02T18:26:42Z	created	system		certificate_pack		{"zone_name":"wispy-darkness-01c0.workers.dev"}	
2024-02-02T18:26:42Z	create	system		dns.record	API	{}	
2024-02-02T18:26:42Z	create	system		dns.record	API	{}	
2024-02-02T18:26:39Z	tls_settings_deployed	system		zone		{"zone_name":"wispy-darkness-01c0.workers.dev"}	null
2024-02-02T18:26:39Z	change_setting	user	172.18.38.70	zone		{"actor_email":"db2024","name":"SSL","old_value":"flexible","type":"crypto","value":"full_strict","zone_name":"wispy-darkness-01c0.workers.dev"}	
2024-02-02T18:26:38Z	change_setting	user	172.18.107.19	zone		{"actor_email":"db2024","name":"browser_cache_exp","type":"caching","value":0,"zone_name":"wispy-darkness-01c0.workers.dev"}	
2024-02-02T18:26:37Z	change_setting	user	172.18.117.247	zone		{"actor_email":"db2024","name":"always_online","type":"caching","value":"off","zone_name":"wispy-darkness-01c0.workers.dev"}	
2024-02-02T18:26:36Z	created	system		certificate_pack		{"zone_name":"wispy-darkness-01c0.workers.dev"}	
2024-02-02T18:26:36Z	create	system		dns.record	API	{}	
2024-02-02T18:26:36Z	create	system		dns.record	API	{}	
2024-02-02T18:26:35Z	created	system		certificate_pack		{"zone_name":"wispy-darkness-01c0.workers.dev"}	
2024-02-02T18:26:35Z	create	system		dns.record	API	{}	
2024-02-02T18:26:30Z	created	system		certificate_pack		{"zone_name":"name-e0c.workers.dev"}	
2024-02-02T18:26:30Z	create	system		dns.record	API	{}	
2024-02-02T18:26:30Z	create	system		dns.record	API	{}	
2024-02-02T18:26:28Z	created	system		certificate_pack		{"zone_name":"name-e0c.workers.dev"}	
2024-02-02T18:26:28Z	create	system		dns.record	API	{}	
2024-02-02T18:26:28Z	create	system		dns.record	API	{}	
2024-02-02T18:26:27Z	tls_settings_deployed	system		zone		{"zone_name":"name-e0c.workers.dev"}	null
2024-02-02T18:26:26Z	created	system		certificate_pack		{"zone_name":"name-e0c.workers.dev"}	
2024-02-02T18:26:25Z	created	system		certificate_pack		{"zone_name":"name-5e0.workers.dev"}	
2024-02-02T18:26:25Z	create	system		dns.record	API	{}	
2024-02-02T18:26:25Z	create	system		dns.record	API	{}	
2024-02-02T18:26:25Z	created	system		certificate_pack		{"zone_name":"name-5e0.workers.dev"}	
2024-02-02T18:26:25Z	create	system		dns.record	API	{}	
2024-02-02T18:26:25Z	create	system		dns.record	API	{}	
2024-02-02T18:26:24Z	tls_settings_deployed	system		zone		{"zone_name":"name-5e0.workers.dev"}	null
2024-02-02T18:26:24Z	created	system		certificate_pack		{"zone_name":"name-5e0.workers.dev"}	
2024-02-02T18:26:24Z	nameservers_confirmed	user		zone		{"actor_email":"db2024","zone_name":"wispy-darkness-01c0.workers.dev"}	
2024-02-02T18:26:24Z	add	user	172.18.38.70	zone		{"actor_email":"db2024","zone_name":"wispy-darkness-01c0.workers.dev"}	
2024-02-02T18:26:24Z	pending	user	172.18.38.70	zone		{"actor_email":"db2024","zone_name":"wispy-darkness-01c0.workers.dev"}	
2024-02-02T18:26:24Z	change_setting	user		zone		{"actor_email":"db2024","name":"SSL","type":"crypto","value":"flexible","zone_name":"wispy-darkness-01c0.workers.dev"}	
2024-02-02T18:26:24Z	change_setting	user	172.18.38.70	zone		{"actor_email":"db2024","name":"IPv6","type":"network","value":true,"zone_name":"wispy-darkness-01c0.workers.dev"}	
2024-02-02T18:26:17Z	tls_settings_deployed	system		zone		{"zone_name":"name.workers.dev"}	null
2024-02-02T18:26:12Z	created	system		certificate_pack		{"zone_name":"name.workers.dev"}	
2024-02-02T18:26:12Z	create	system		dns.record	API	{}	
2024-02-02T18:26:12Z	create	system		dns.record	API	{}	
2024-02-02T18:26:12Z	created	system		certificate_pack		{"zone_name":"name.workers.dev"}	
2024-02-02T18:26:12Z	create	system		dns.record	API	{}	
2024-02-02T18:26:12Z	create	system		dns.record	API	{}	
2024-02-02T18:26:11Z	created	system		certificate_pack		{"zone_name":"name.workers.dev"}	
2024-02-02T18:26:08Z	change_setting	user		zone		{"actor_email":"db2024","name":"SSL","type":"crypto","value":"flexible","zone_name":"name-e0c.workers.dev"}	
2024-02-02T18:26:08Z	nameservers_confirmed	user		zone		{"actor_email":"db2024","zone_name":"name-e0c.workers.dev"}	
2024-02-02T18:26:08Z	change_setting	user	172.18.117.247	zone		{"actor_email":"db2024","name":"IPv6","type":"network","value":true,"zone_name":"name-e0c.workers.dev"}	
2024-02-02T18:26:08Z	pending	user	172.18.117.247	zone		{"actor_email":"db2024","zone_name":"name-e0c.workers.dev"}	
2024-02-02T18:26:08Z	add	user	172.18.117.247	zone		{"actor_email":"db2024","zone_name":"name-e0c.workers.dev"}	
2024-02-02T18:25:42Z	change_setting	user		zone		{"actor_email":"db2024","name":"SSL","type":"crypto","value":"flexible","zone_name":"name-5e0.workers.dev"}	
2024-02-02T18:25:42Z	nameservers_confirmed	user		zone		{"actor_email":"db2024","zone_name":"name-5e0.workers.dev"}	
2024-02-02T18:25:42Z	add	user	172.18.253.82	zone		{"actor_email":"db2024","zone_name":"name-5e0.workers.dev"}	
2024-02-02T18:25:42Z	change_setting	user	172.18.253.82	zone		{"actor_email":"db2024","name":"IPv6","type":"network","value":true,"zone_name":"name-5e0.workers.dev"}	
2024-02-02T18:25:42Z	pending	user	172.18.253.82	zone		{"actor_email":"db2024","zone_name":"name-5e0.workers.dev"}	
2024-02-02T18:25:25Z	change_setting	user		zone		{"actor_email":"db2024","name":"SSL","type":"crypto","value":"flexible","zone_name":"name.workers.dev"}	
2024-02-02T18:25:25Z	pending	user	172.18.77.10	zone		{"actor_email":"db2024","zone_name":"name.workers.dev"}	
2024-02-02T18:25:25Z	nameservers_confirmed	user		zone		{"actor_email":"db2024","zone_name":"name.workers.dev"}	
2024-02-02T18:25:25Z	add	user	172.18.77.10	zone		{"actor_email":"db2024","zone_name":"name.workers.dev"}	
2024-02-02T18:25:25Z	change_setting	user	172.18.77.10	zone		{"actor_email":"db2024","name":"IPv6","type":"network","value":true,"zone_name":"name.workers.dev"}	
2024-02-02T18:20:12Z	add_enforce_twofactor	user	legit	account	UI	{}	{"enforce_twofactor": "NULL"}
2024-02-02T18:13:12Z	login	user	legit	account		{"actor_email":"db2024"}	

That is the end of the audit log. Please let me know what you think of all this odd activity and the IP addresses that made the changes.
Thanks

Please see my prior reply. Here is a comma deliminated version of the audit log if you need it:

Time,Action,Actor Type,Actor IP,Resource Type,Interface,Metadata,OldValue
2024-02-05T21:28:17Z,login,user,legit,account,,"{""actor_email"":""db2024""}",
2024-02-05T19:57:50Z,deployed,system,,certificate_pack,,"{""zone_name"":""mydomain"",""zone_tag"":""259f9d54f6ea1c3fdc07216e5cf1b95e""}","{""id"": ""fe747cfb-9142-40ae-b506-6e85eea64611"", ""sans"": [""mydomain"", ""*.mydomain""], ""type"": ""universal"", ""hosts"": [""mydomain"", ""*.mydomain""], ""status"": ""pending_deployment"", ""qs_mode"": 0, ""zone_id"": ""259f9d54f6ea1c3fdc07216e5cf1b95e"", ""priority"": 0, ""created_at"": ""2023-12-08T18:55:16.518314Z"", ""modified_on"": ""2024-02-05T19:57:49.327579Z"", ""certificates"": [{""id"": ""ff6e0cee-9355-43b8-a8ba-6e290ac31556"", ""hosts"": [""mydomain"", ""*.mydomain""], ""issuer"": ""LetsEncrypt"", ""status"": ""pending_deployment"", ""zone_id"": ""259f9d54f6ea1c3fdc07216e5cf1b95e"", ""priority"": null, ""signature"": ""ECDSAWithSHA384"", ""expires_on"": ""2024-05-05T18:57:46Z"", ""modified_on"": ""2024-02-05T19:57:49.327579Z"", ""uploaded_on"": null, ""bundle_method"": ""ubiquitous"", ""serial_number"": ""372672458239321655907182445094834021414069""}], ""dedicated_ips"": false, ""validity_days"": 90, ""qs_mode_desired"": null, ""validation_method"": ""txt"", ""qs_mode_changed_at"": null, ""primary_certificate"": ""ff6e0cee-9355-43b8-a8ba-6e290ac31556"", ""certificate_authority"": ""lets_encrypt_account_1""}"
2024-02-05T19:57:49Z,ordered,system,,certificate_pack,,"{""zone_name"":""mydomain"",""zone_tag"":""259f9d54f6ea1c3fdc07216e5cf1b95e""}","{""id"": ""fe747cfb-9142-40ae-b506-6e85eea64611"", ""sans"": [""mydomain"", ""*.mydomain""], ""type"": ""universal"", ""hosts"": [""*.mydomain"", ""mydomain""], ""status"": ""pending_validation"", ""qs_mode"": 0, ""zone_id"": ""259f9d54f6ea1c3fdc07216e5cf1b95e"", ""brand_id"": null, ""priority"": 0, ""authority"": ""lets_encrypt_account_1"", ""modified_on"": ""2024-02-05T19:56:32.752609Z"", ""certificates"": [{""id"": ""c4b26664-53fd-4d89-872a-44339d2e323d"", ""issuer"": ""LetsEncrypt"", ""issued_on"": ""2023-12-08T17:57:45Z"", ""signature"": ""ECDSAWithSHA384"", ""expires_on"": ""2024-03-07T17:57:44Z"", ""serial_number"": ""264875061928456004890988727595619872212956"", ""fingerprint_sha256"": ""1b0140f2cc6eab0b60670363c1898fde4209e64294bba005a65147e466445f04""}], ""bundle_method"": ""ubiquitous"", ""dedicated_ips"": false, ""validity_days"": 90, ""qs_mode_desired"": null, ""validation_type"": ""dv"", ""validation_method"": ""txt"", ""qs_mode_changed_at"": null, ""validation_records"": [{""status"": ""processing"", ""txt_name"": ""_acme-challenge.mydomain"", ""txt_value"": ""NswcxBhNqYu4Xm6GnzQHTDR7hSYQUshzMq6rjpUfYLw""}, {""status"": ""processing"", ""txt_name"": ""_acme-challenge.mydomain"", ""txt_value"": ""M9F3oIDE-Zk4lfWMCprDlSlVEc3BLBUE_xAY7racqSI""}]}"
2024-02-05T19:57:49Z,delete,system,,dns.record,API,{},
2024-02-05T19:57:49Z,delete,system,,dns.record,API,{},
2024-02-05T19:56:32Z,created,system,,certificate_pack,,"{""zone_name"":""mydomain"",""zone_tag"":""259f9d54f6ea1c3fdc07216e5cf1b95e""}",
2024-02-05T19:56:32Z,create,system,,dns.record,API,{},
2024-02-05T19:56:32Z,create,system,,dns.record,API,{},
2024-02-04T21:40:21Z,deployed,system,,certificate_pack,,"{""zone_name"":""myBdomain"",""zone_tag"":""e17bff755a78e7502eccbd2e5e98bf98""}","{""id"": ""ebc69405-7f56-432b-a2b5-93eb52295997"", ""sans"": [""myBdomain"", ""*.myBdomain""], ""type"": ""universal"", ""hosts"": [""myBdomain"", ""*.myBdomain""], ""status"": ""pending_deployment"", ""qs_mode"": 0, ""zone_id"": ""e17bff755a78e7502eccbd2e5e98bf98"", ""priority"": 0, ""created_at"": ""2023-12-07T21:26:26.638455Z"", ""modified_on"": ""2024-02-04T21:40:19.27147Z"", ""certificates"": [{""id"": ""db899582-7150-43a7-944b-6048cf5548e2"", ""hosts"": [""myBdomain"", ""*.myBdomain""], ""issuer"": ""LetsEncrypt"", ""status"": ""pending_deployment"", ""zone_id"": ""e17bff755a78e7502eccbd2e5e98bf98"", ""priority"": null, ""signature"": ""ECDSAWithSHA384"", ""expires_on"": ""2024-05-04T20:40:17Z"", ""modified_on"": ""2024-02-04T21:40:19.27147Z"", ""uploaded_on"": null, ""bundle_method"": ""ubiquitous"", ""serial_number"": ""310165925766527947744504829895855134352877""}], ""dedicated_ips"": false, ""validity_days"": 90, ""qs_mode_desired"": null, ""validation_method"": ""txt"", ""qs_mode_changed_at"": null, ""primary_certificate"": ""db899582-7150-43a7-944b-6048cf5548e2"", ""certificate_authority"": ""lets_encrypt_account_1""}"
2024-02-04T21:40:19Z,ordered,system,,certificate_pack,,"{""zone_name"":""myBdomain"",""zone_tag"":""e17bff755a78e7502eccbd2e5e98bf98""}","{""id"": ""ebc69405-7f56-432b-a2b5-93eb52295997"", ""sans"": [""myBdomain"", ""*.myBdomain""], ""type"": ""universal"", ""hosts"": [""*.myBdomain"", ""myBdomain""], ""status"": ""pending_validation"", ""qs_mode"": 0, ""zone_id"": ""e17bff755a78e7502eccbd2e5e98bf98"", ""brand_id"": null, ""priority"": 0, ""authority"": ""lets_encrypt_account_1"", ""modified_on"": ""2024-02-04T21:38:08.488237Z"", ""certificates"": [{""id"": ""2dae35d8-881c-4547-ae9c-6474159c7091"", ""issuer"": ""LetsEncrypt"", ""issued_on"": ""2023-12-07T20:29:00Z"", ""signature"": ""ECDSAWithSHA384"", ""expires_on"": ""2024-03-06T20:28:59Z"", ""serial_number"": ""420120516540986233770276904482936858809433"", ""fingerprint_sha256"": ""31788efc27dce555232d902f231e92f562365b4d627f99d6ab456f4459b1d378""}], ""bundle_method"": ""ubiquitous"", ""dedicated_ips"": false, ""validity_days"": 90, ""qs_mode_desired"": null, ""validation_type"": ""dv"", ""validation_method"": ""txt"", ""qs_mode_changed_at"": null, ""validation_records"": [{""status"": ""valid"", ""txt_name"": ""_acme-challenge.myBdomain"", ""txt_value"": ""JCxUMVTt_74ED95S96spMfgNSHFfZwaJ6_WX60At8H4""}, {""status"": ""processing"", ""txt_name"": ""_acme-challenge.myBdomain"", ""txt_value"": ""788cYZraWtHvEK786A7NFPQ2nZElZMoGIK11hHaNnrA""}]}"
2024-02-04T21:40:19Z,delete,system,,dns.record,API,{},
2024-02-04T21:40:19Z,delete,system,,dns.record,API,{},
2024-02-04T21:40:19Z,create,system,,dns.record,API,{},
2024-02-04T21:40:19Z,delete,system,,dns.record,API,{},
2024-02-04T21:38:08Z,created,system,,certificate_pack,,"{""zone_name"":""myBdomain"",""zone_tag"":""e17bff755a78e7502eccbd2e5e98bf98""}",
2024-02-04T21:38:08Z,create,system,,dns.record,API,{},
2024-02-04T21:38:08Z,create,system,,dns.record,API,{},
2024-02-03T01:39:50Z,backup_issued,system,,certificate_pack,,"{""zone_name"":""wispy-darkness-01c0.workers.dev""}","{""id"": ""5495cc21-80be-4300-8e7e-19031186277f"", ""sans"": [""wispy-darkness-01c0.workers.dev"", ""*.wispy-darkness-01c0.workers.dev""], ""type"": ""universal"", ""backup"": true, ""status"": ""pending_validation"", ""qs_mode"": 0, ""zone_id"": ""5925ea4563a976529c888512840105ff"", ""brand_id"": null, ""priority"": 0, ""authority"": ""sectigo"", ""modified_on"": ""2024-02-02T18:26:42.120616Z"", ""bundle_method"": ""ubiquitous"", ""dedicated_ips"": false, ""validity_days"": 90, ""qs_mode_desired"": null, ""validation_type"": ""dv"", ""validation_method"": ""txt"", ""qs_mode_changed_at"": null, ""validation_records"": [{""status"": ""valid"", ""txt_name"": ""_acme-challenge.wispy-darkness-01c0.workers.dev"", ""txt_value"": ""TLpA21273_bdR_Q8uUMTB24W85w9CuBos8oGXvSxSzo""}, {""status"": ""processing"", ""txt_name"": ""_acme-challenge.wispy-darkness-01c0.workers.dev"", ""txt_value"": ""Ocw_30aIUo_w-5s7XOJAX_kA_2eBmEieu-MjkNbC4MY""}]}"
2024-02-03T01:39:50Z,delete,system,,dns.record,API,{},
2024-02-03T01:39:50Z,delete,system,,dns.record,API,{},
2024-02-03T01:39:50Z,create,system,,dns.record,API,{},
2024-02-03T01:39:50Z,delete,system,,dns.record,API,{},
2024-02-02T18:32:08Z,deployed,system,,certificate_pack,,"{""zone_name"":""wispy-darkness-01c0.workers.dev""}","{""id"": ""91d39b61-eecb-42c0-a573-023f36d0ae05"", ""sans"": [""wispy-darkness-01c0.workers.dev"", ""*.wispy-darkness-01c0.workers.dev""], ""type"": ""universal"", ""hosts"": [""wispy-darkness-01c0.workers.dev"", ""*.wispy-darkness-01c0.workers.dev""], ""status"": ""pending_deployment"", ""qs_mode"": 0, ""zone_id"": ""5925ea4563a976529c888512840105ff"", ""priority"": 0, ""created_at"": ""2024-02-02T18:26:35.842859Z"", ""modified_on"": ""2024-02-02T18:32:07.010492Z"", ""certificates"": [{""id"": ""d890580c-4cb6-4254-9d5c-029da27d6dfb"", ""hosts"": [""wispy-darkness-01c0.workers.dev"", ""*.wispy-darkness-01c0.workers.dev""], ""issuer"": ""LetsEncrypt"", ""status"": ""pending_deployment"", ""zone_id"": ""5925ea4563a976529c888512840105ff"", ""priority"": null, ""signature"": ""ECDSAWithSHA384"", ""expires_on"": ""2024-05-02T17:32:04Z"", ""modified_on"": ""2024-02-02T18:32:07.010492Z"", ""uploaded_on"": null, ""bundle_method"": ""ubiquitous"", ""serial_number"": ""434676617822651379893234618661613754329453""}], ""dedicated_ips"": false, ""validity_days"": 90, ""qs_mode_desired"": null, ""validation_method"": ""txt"", ""qs_mode_changed_at"": null, ""primary_certificate"": ""d890580c-4cb6-4254-9d5c-029da27d6dfb"", ""certificate_authority"": ""lets_encrypt_account_1""}"
2024-02-02T18:32:07Z,ordered,system,,certificate_pack,,"{""zone_name"":""wispy-darkness-01c0.workers.dev""}","{""id"": ""91d39b61-eecb-42c0-a573-023f36d0ae05"", ""sans"": [""wispy-darkness-01c0.workers.dev"", ""*.wispy-darkness-01c0.workers.dev""], ""type"": ""universal"", ""status"": ""pending_validation"", ""qs_mode"": 0, ""zone_id"": ""5925ea4563a976529c888512840105ff"", ""brand_id"": null, ""priority"": 0, ""authority"": ""lets_encrypt_account_1"", ""modified_on"": ""2024-02-02T18:29:45.035417Z"", ""bundle_method"": ""ubiquitous"", ""dedicated_ips"": false, ""validity_days"": 90, ""qs_mode_desired"": null, ""validation_type"": ""dv"", ""validation_method"": ""txt"", ""qs_mode_changed_at"": null, ""validation_records"": [{""status"": ""valid"", ""txt_name"": ""_acme-challenge.wispy-darkness-01c0.workers.dev"", ""txt_value"": ""63e876IxwOsK19woC3WLK1SfAAtFv31RL6bQoVBPzgI""}, {""status"": ""processing"", ""txt_name"": ""_acme-challenge.wispy-darkness-01c0.workers.dev"", ""txt_value"": ""xpTwfYanGNGl1O-sHj3C1to18kI8tagZFuhhRFUlACw""}]}"
2024-02-02T18:32:06Z,delete,system,,dns.record,API,{},
2024-02-02T18:32:06Z,delete,system,,dns.record,API,{},
2024-02-02T18:32:06Z,create,system,,dns.record,API,{},
2024-02-02T18:32:06Z,delete,system,,dns.record,API,{},
2024-02-02T18:30:55Z,create,system,,dns.record,API,{},
2024-02-02T18:30:55Z,delete,system,,dns.record,API,{},
2024-02-02T18:29:45Z,create,system,,dns.record,API,{},
2024-02-02T18:29:45Z,create,system,,dns.record,API,{},
2024-02-02T18:29:45Z,delete,system,,dns.record,API,{},
2024-02-02T18:29:45Z,delete,system,,dns.record,API,{},
2024-02-02T18:26:42Z,subdomain_registered,user,looks-ok-but-did-not-do,workers_subdomain,,"{""actor_email"":""db2024"",""subdomain"":""wispy-darkness-01c0""}",
2024-02-02T18:26:42Z,created,system,,certificate_pack,,"{""zone_name"":""wispy-darkness-01c0.workers.dev""}",
2024-02-02T18:26:42Z,create,system,,dns.record,API,{},
2024-02-02T18:26:42Z,create,system,,dns.record,API,{},
2024-02-02T18:26:39Z,tls_settings_deployed,system,,zone,,"{""zone_name"":""wispy-darkness-01c0.workers.dev""}",null
2024-02-02T18:26:39Z,change_setting,user,172.18.38.70,zone,,"{""actor_email"":""db2024"",""name"":""SSL"",""old_value"":""flexible"",""type"":""crypto"",""value"":""full_strict"",""zone_name"":""wispy-darkness-01c0.workers.dev""}",
2024-02-02T18:26:38Z,change_setting,user,172.18.107.19,zone,,"{""actor_email"":""db2024"",""name"":""browser_cache_exp"",""type"":""caching"",""value"":0,""zone_name"":""wispy-darkness-01c0.workers.dev""}",
2024-02-02T18:26:37Z,change_setting,user,172.18.117.247,zone,,"{""actor_email"":""db2024"",""name"":""always_online"",""type"":""caching"",""value"":""off"",""zone_name"":""wispy-darkness-01c0.workers.dev""}",
2024-02-02T18:26:36Z,created,system,,certificate_pack,,"{""zone_name"":""wispy-darkness-01c0.workers.dev""}",
2024-02-02T18:26:36Z,create,system,,dns.record,API,{},
2024-02-02T18:26:36Z,create,system,,dns.record,API,{},
2024-02-02T18:26:35Z,created,system,,certificate_pack,,"{""zone_name"":""wispy-darkness-01c0.workers.dev""}",
2024-02-02T18:26:35Z,create,system,,dns.record,API,{},
2024-02-02T18:26:30Z,created,system,,certificate_pack,,"{""zone_name"":""name-e0c.workers.dev""}",
2024-02-02T18:26:30Z,create,system,,dns.record,API,{},
2024-02-02T18:26:30Z,create,system,,dns.record,API,{},
2024-02-02T18:26:28Z,created,system,,certificate_pack,,"{""zone_name"":""name-e0c.workers.dev""}",
2024-02-02T18:26:28Z,create,system,,dns.record,API,{},
2024-02-02T18:26:28Z,create,system,,dns.record,API,{},
2024-02-02T18:26:27Z,tls_settings_deployed,system,,zone,,"{""zone_name"":""name-e0c.workers.dev""}",null
2024-02-02T18:26:26Z,created,system,,certificate_pack,,"{""zone_name"":""name-e0c.workers.dev""}",
2024-02-02T18:26:25Z,created,system,,certificate_pack,,"{""zone_name"":""name-5e0.workers.dev""}",
2024-02-02T18:26:25Z,create,system,,dns.record,API,{},
2024-02-02T18:26:25Z,create,system,,dns.record,API,{},
2024-02-02T18:26:25Z,created,system,,certificate_pack,,"{""zone_name"":""name-5e0.workers.dev""}",
2024-02-02T18:26:25Z,create,system,,dns.record,API,{},
2024-02-02T18:26:25Z,create,system,,dns.record,API,{},
2024-02-02T18:26:24Z,tls_settings_deployed,system,,zone,,"{""zone_name"":""name-5e0.workers.dev""}",null
2024-02-02T18:26:24Z,created,system,,certificate_pack,,"{""zone_name"":""name-5e0.workers.dev""}",
2024-02-02T18:26:24Z,nameservers_confirmed,user,,zone,,"{""actor_email"":""db2024"",""zone_name"":""wispy-darkness-01c0.workers.dev""}",
2024-02-02T18:26:24Z,add,user,172.18.38.70,zone,,"{""actor_email"":""db2024"",""zone_name"":""wispy-darkness-01c0.workers.dev""}",
2024-02-02T18:26:24Z,pending,user,172.18.38.70,zone,,"{""actor_email"":""db2024"",""zone_name"":""wispy-darkness-01c0.workers.dev""}",
2024-02-02T18:26:24Z,change_setting,user,,zone,,"{""actor_email"":""db2024"",""name"":""SSL"",""type"":""crypto"",""value"":""flexible"",""zone_name"":""wispy-darkness-01c0.workers.dev""}",
2024-02-02T18:26:24Z,change_setting,user,172.18.38.70,zone,,"{""actor_email"":""db2024"",""name"":""IPv6"",""type"":""network"",""value"":true,""zone_name"":""wispy-darkness-01c0.workers.dev""}",
2024-02-02T18:26:17Z,tls_settings_deployed,system,,zone,,"{""zone_name"":""name.workers.dev""}",null
2024-02-02T18:26:12Z,created,system,,certificate_pack,,"{""zone_name"":""name.workers.dev""}",
2024-02-02T18:26:12Z,create,system,,dns.record,API,{},
2024-02-02T18:26:12Z,create,system,,dns.record,API,{},
2024-02-02T18:26:12Z,created,system,,certificate_pack,,"{""zone_name"":""name.workers.dev""}",
2024-02-02T18:26:12Z,create,system,,dns.record,API,{},
2024-02-02T18:26:12Z,create,system,,dns.record,API,{},
2024-02-02T18:26:11Z,created,system,,certificate_pack,,"{""zone_name"":""name.workers.dev""}",
2024-02-02T18:26:08Z,change_setting,user,,zone,,"{""actor_email"":""db2024"",""name"":""SSL"",""type"":""crypto"",""value"":""flexible"",""zone_name"":""name-e0c.workers.dev""}",
2024-02-02T18:26:08Z,nameservers_confirmed,user,,zone,,"{""actor_email"":""db2024"",""zone_name"":""name-e0c.workers.dev""}",
2024-02-02T18:26:08Z,change_setting,user,172.18.117.247,zone,,"{""actor_email"":""db2024"",""name"":""IPv6"",""type"":""network"",""value"":true,""zone_name"":""name-e0c.workers.dev""}",
2024-02-02T18:26:08Z,pending,user,172.18.117.247,zone,,"{""actor_email"":""db2024"",""zone_name"":""name-e0c.workers.dev""}",
2024-02-02T18:26:08Z,add,user,172.18.117.247,zone,,"{""actor_email"":""db2024"",""zone_name"":""name-e0c.workers.dev""}",
2024-02-02T18:25:42Z,change_setting,user,,zone,,"{""actor_email"":""db2024"",""name"":""SSL"",""type"":""crypto"",""value"":""flexible"",""zone_name"":""name-5e0.workers.dev""}",
2024-02-02T18:25:42Z,nameservers_confirmed,user,,zone,,"{""actor_email"":""db2024"",""zone_name"":""name-5e0.workers.dev""}",
2024-02-02T18:25:42Z,add,user,172.18.253.82,zone,,"{""actor_email"":""db2024"",""zone_name"":""name-5e0.workers.dev""}",
2024-02-02T18:25:42Z,change_setting,user,172.18.253.82,zone,,"{""actor_email"":""db2024"",""name"":""IPv6"",""type"":""network"",""value"":true,""zone_name"":""name-5e0.workers.dev""}",
2024-02-02T18:25:42Z,pending,user,172.18.253.82,zone,,"{""actor_email"":""db2024"",""zone_name"":""name-5e0.workers.dev""}",
2024-02-02T18:25:25Z,change_setting,user,,zone,,"{""actor_email"":""db2024"",""name"":""SSL"",""type"":""crypto"",""value"":""flexible"",""zone_name"":""name.workers.dev""}",
2024-02-02T18:25:25Z,pending,user,172.18.77.10,zone,,"{""actor_email"":""db2024"",""zone_name"":""name.workers.dev""}",
2024-02-02T18:25:25Z,nameservers_confirmed,user,,zone,,"{""actor_email"":""db2024"",""zone_name"":""name.workers.dev""}",
2024-02-02T18:25:25Z,add,user,172.18.77.10,zone,,"{""actor_email"":""db2024"",""zone_name"":""name.workers.dev""}",
2024-02-02T18:25:25Z,change_setting,user,172.18.77.10,zone,,"{""actor_email"":""db2024"",""name"":""IPv6"",""type"":""network"",""value"":true,""zone_name"":""name.workers.dev""}",
2024-02-02T18:20:12Z,add_enforce_twofactor,user,legit,account,UI,{},"{""enforce_twofactor"": ""NULL""}"
2024-02-02T18:13:12Z,login,user,legit,account,,"{""actor_email"":""db2024""}",
,,,,,,,

May I ask if your domain was redirected to some other particular? :thinking:

Hi, I’m not sure if there are any subdomains being used for who knows what. I have not tried to check everything externally yet. That really does not seem like the most important question based on the situation though. I’m also surprised no cloudflare employees have replied to this issue. The logs I posted seem to show cloudflare was breached and yet no one at cloudflare seems to care. Pretty amazing.

Why does cloudflare have API access enabled on new accounts anyway? Should such a security hole be disabled until someone needs it???

How do I completely disable all API access for my account?

I tried to follow this blog entry:

https://blog.cloudflare.com/improved-api-access-control/

But there is no such option under my “Members” page under “Manage account”.

Use of the API requires the global API key, for which you need to log into the account, then use the password again to get the key. If someone can use the API to access your account, then your account has already been compromised to get the key so it’s already too late. They could just re-enable the disabled API access.

Poor/reused passwords and lack of 2FA are the cause of compromise.

From the blog…
“This feature is available for our enterprise users starting today.”

If you think your account has been compromised, after resecuring the account then you should rotate the global API key. Advice is here…

1 Like

WOW, really? Does anyone on here have reading comprehension skills at all?

I have 2fa and a very strong password enabled. I have all the latest updates applied to my system and browser. I have NEVER encountered any issues with ANY OTHER website EXCEPT THIS ONE!!!

So is it cloudlfare’s business model to leave clear security issues like global API keys on by default for all accounts only to hack non-enterprise clients accounts in an effort to basically force them to pay for actual support contracts? I’m not saying you are doing this, just asking a question based on the data.

I’ll forward the log files onto the appropriate authorities. Thank you all for nothing.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.