Member access hacked

So I have - or at least up until recently, had - member access to several other Cloudflare accounts through my own account.

Long story short some of these members reported their sites being redirected and it turns out someone had gained access to my account and in turn updated DNS of any other accounts I has access to.

Since then I updated my PW and added 2FA, plus logged out of any sessions.

Today same thing happened again. I have changed both my Global and Origin API keys just incase, and removed any APIs I had created. I do not see any suspicious login sessions but it’s clear someone has or had access to my account. Luckily it’s just a case of swapping and A record back but I just want to be sure the person is out.

Do you think they were doing this using my API key? If they had my password then this would have been easy to retrieve, but now that it has been reset is that enough?

Thanks for any help/advice.

It is very likely this was done using either your API Key or an API Token. If you have deleted any Tokens and renewed the API Key, that sounds good.

I would also recommend checking the affected accounts for any Redirects (Bulk Redirects, Page Rules, Redirect Rules).

1 Like

Nothing has changed.

Ok, thanks for letting me know.

Thanks. I realised I could check the audit log and I could see the dns change in there. Next to ‘Interface’ it said API, so that’s definitely how they were doing it. Having done the above that should hopefully be the end of it!

Thank you

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.