Around March 20. My email including my Cloudflare account was compromised. I have regained access back to everything on March and I have restored my website 2 times now. But on April 29 I realized in my account settings Cloudflare has an API keys used to access Cloudflare APIs. I was not aware Cloudflare provides API key. And I did not change the API keys after I regained access to my Cloudflare account. I have changed both my Global API key and Origin CA key after realizing this on April 29. I have already opened a support ticket regarding my security concerns but it has been 11 days the ticket is still ongoing and the respond is incredible slow, its been almost a week since and there’s still no respond. It is driving me crazy since this is involving my website / server security concerns.
So I decided to post it on the forum here in hopes someone from Cloudflare can help ease my paranoia and concerns. I have extreme OCD and paranoia and I really hope someone can help me ease my concerns regarding this.
I have looked into Audit logs and there were no logs of the unauthorize user viewing my Global API key. But in regards to the Origin CA Key API tokens. I realize, viewing the Global API key it tracks and shows the activity in the Audit log. BUT when I view the Origin CA Key in the account API Tokens, it does not show up in the Audit logs I tested it by viewing them myself, it does not register and track them in the audit logs.
So right now I am concern rather if the Unauthorize user viewed and has had access to my Origin CA API key between the dates I was still unaware of it before I changed it on April 29.
As to my understanding ( Please correct me if I am wrong ), The Origin CA Key in my API tokens can be used to create and revoke origin certificate through the API. The Cloudflare support in my ticket mentioned that
If someone has your origin private key, they could theoretically set up host and point your site to it without raising any alarm with regard to the origin SSL. I would suggest revoking the existing SSL and configuring a new one on the origin server if you have a concern about this.
Is there any way to check and verify through logs if the above happened?
I don’t have origin certificate set up on my Cloudflare and server. I am only using Cloudflare Edge Certificate. I have provided screenshot of my Cloudflare SSL configuration below.
I also tested and realize that whenever I create and revoke an origin certificate through UI on Cloudflare, It does not track and show on Audit logs. Are there any way for me to know if my Origin CA Key in my API tokens was used or not? and if there were any history of origin certificate being created or revoked.