Account security

user718 · 2017-10-10 18:53:12 UTC

hi,

i saw a new dns which i did not enter in my account and some page rules to direct some of my traffic to some virus.
i immediately disabled those pagerules

i changed my password
i changed global and orgin key API
i put up Google Authenticator for 2 step verification.

i asked cloudflare the ip that put those dns settings they gave me a russian ip which i do not recognize and i did not even get email from cloudflare that my account is logged in from new ip which is that ip.

after above 3 steps that those unknown page rules became active again without me even touching them again no email that some new ip logged in my account.
even after having 2 step verification and apis changed how can someone do that?

GulshanKumar · 2017-07-02 19:52:53 UTC

Regarding this query, you should immediately raise a support ticket via email support [at] cloudflare.com

user718 · 2017-07-02 20:06:52 UTC

i did, they said they will check this and haven’t heard back from them yet, meanwhile i thought somebody here might had same experience or might have some idea about what is going on.

tanto259 · 2017-07-03 02:18:24 UTC

Maybe try to scan your PC/phones. They could be infected with Remote Access Tools or Keyloggers. That will explain how someone have gain your credentials.

GulshanKumar · 2017-10-05 23:39:15 UTC

You did well by enabling TFA, please also consider enabling DNSSEC protection for your domain.