User email addresses are leaking between Cloudflare accounts.
When defining a catch-all address on the Email Routing page, the system suggests previously unknown email addresses as the Destination address.
I initially presumed I had been hacked but now believe this is a leak of user data between Cloudflare accounts.
Today I am creating catch-alls for hundreds of domains. These unknown email addresses appear about 50% of the time.
Most of these addresses are Gmail, Hotmail etc but, occasionally, there is a private domain and, in every such case, that domain uses Cloudflare DNS. This suggests that I am seeing the email addresses of other Cloudflare users. I presume that, in turn, my email address is also being leaked to other users.
There is a theoretical risk that, knowing the specific email addresses associated with Cloudflare accounts, a bad actor could use that knowledge to target them.
My main concern, however, is that if my email address is leaked to other users, they could jump to my initial conclusion that it is a hack and possibly file a complaint with my email provider. That could get complicated but, overall, I consider the risks of this leak to be low. It just reflects poorly upon Cloudflare.
I am posting this here because the support ticket process is too user-hostile and I no longer have the patience to chase Cloudflare to fix problems that affect them more than me. Been there, done that, didn’t get the t-shirt
If other users are seeing the same leak, please add your voice here so that Cloudflare can become aware that there is a problem. That is the fastest way to get the leak fixed.