Cloudflare account compromissed - need help

My cloudflare account has been compromissed;
in the meanwhile it has been resetted & 2FA has been enabled.
for all the domains in the account (55ish)
actions & data have been changed.

What does this mean, and what should I do?
also - i think this impact the certificate that is now active on all domains, but I can not delete it, as it is the only one?
thanks for some help!

It is not clear if you still have access to your account. If you still have access to the account, rotate all API keys, enable 2FA, and change your password.

Then check the audit log to check what has been changed.

Hi, thanks for the reply: I’m a little confused by your reply:
As listed above:

I have recovered my account
I have resetted my password
I have enabled 2FA
and I am seeing lots of activity in the audit log that I do not understand ( example in image ) that is what I am asking help about :slight_smile:

The txt records starting with ca3 are used for certificate validation. Cloudflare need to confirm to the Certificate Authority that they are authorised to issue certs, and that is now it is done.

Visit and search for your domain names. See if any certs look wrong. It looks to me like you are issuing a Let’s Encrypt cert (possibly for your Origin), a cPanel cert for a mail server, and RSA and ECC certs for your Cloudflare account.

If you are concerned about Certificate mis-issuance, you should do two things.

  1. Create DNS CAA records.
  2. Subscribe to a Certificate Transparency Service. Cloudflare can do this, but with a lot of domains and a lot of certs it can get noisy. There are other tools available that can flag only those certs you don’t already know about.

Other than the TXT records, were there other things that make you think your account was compromised?

This topic was automatically closed after 30 days. New replies are no longer allowed.