Someone adding CF Apps even 2FA - Hack?

bhajandiary · January 12, 2023, 2:53am

Hello,

Yesterday my CF account was hacked as someone changed the email and password.
Fortunately I was able to recover and enabled 2FA yesterday. Hacker added html Js redirect through the ‘Apps’ available on CF. I deleted them yesterday.

But today also I see the same problem that my website traffic is being redirected to the other domain. And the method was same an App was created in CF Apps.
My question - How it is possible? does any one still have access to my cf account even I have changed my pass and enabled 2FA?

How to resolve this please guys help me.
Thanks,

Cyb3r-Jak3 · January 12, 2023, 3:20am

I would check for API tokens. You should also review your audit log https://dash.cloudflare.com/?to=/:account/audit-log

bhajandiary · January 12, 2023, 3:45am

Hi, I can see the logs, but what should I do? I am not sure how to stop this.

freitasm · January 12, 2023, 11:38pm

As above. If the hacker got an API token then you will need to roll/delete any existing/unknown token or change global ones:

bhajandiary · January 13, 2023, 3:07am

Thanks Freitasm, there were no tokens available, I have now changed the global one. Lets see.

system · January 16, 2023, 3:08am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.