Account security

hi,

i saw a new dns which i did not enter in my account and some page rules to direct some of my traffic to some virus.
i immediately disabled those pagerules

  1. i changed my password
  2. i changed global and orgin key API
  3. i put up Google Authenticator for 2 step verification.

i asked Cloudflare the ip that put those dns settings they gave me a russian ip which i do not recognize and i did not even get email from Cloudflare that my account is logged in from new ip which is that ip.

after above 3 steps that those unknown page rules became active again without me even touching them again no email that some new ip logged in my account.
even after having 2 step verification and apis changed how can someone do that?

Regarding this query, you should immediately raise a support ticket via email support [at] Cloudflare.com

1 Like

i did, they said they will check this and haven’t heard back from them yet, meanwhile i thought somebody here might had same experience or might have some idea about what is going on.

1 Like

Maybe try to scan your PC/phones. They could be infected with Remote Access Tools or Keyloggers. That will explain how someone have gain your credentials.

1 Like

You did well by enabling TFA, please also consider enabling DNSSEC protection for your domain.

https://support.cloudflare.com/hc/en-us/articles/212165728-How-do-I-turn-on-DNSSEC-

1 Like