Someone else can create an account and API token on your email address

This morning I saw someone created a Cloudfare account on my business address, logged in and created API tokens.
I used forgot my password to gain access, setup MFA, trash those API tokens and made sure my mailbox wasn’t compromised. It did give me a scare.

It’s exactly like Someone keeps registering for cloudflare using my email addresses but that’s closed as nothing could be done against it.
However there is a huge difference between someone creating an account on accident on a incorrect email address and you would just get a sign up email for it against when someone can use your email address to register and apparently login to create API token. That’s not a mistake, that’s an hack attempt. I don’t know what you can do with that on an empty account, but if you never notice those illegal API tokens before you start using Cloudfare they can control your things using the API, which is a huge risk.

So Cloudfare can and really should do something about this. Email validation should be mandatory before an account gets created at all.

1 Like

I am here because two people in our company have received this email, me being one of them.

I think the angle the attackers are going for here is to create the account and add the API keys, and then wait and hope that the email owner clicks that verification link. If they do, then those API keys can be used to make API calls and carry out malicious activity.

If you get this email, and if you click that link, immediately reset the password and change the API Keys on the account.

CloudFlare, FIX THIS NOW. This is a bug in your system. The account should not be active until the user is verified. This is a serious security issue that is obviously a viable attack metric as it is being used more and more by attackers.


My account was created on Sept. 25th, and the Audit Log showed that the attacker rotated and viewed the keys.

My colleagues account was created on Sept. 27th, and his Audit Log showed that the attacker did not rotate or view the keys. He was not able to view or rotate the API Keys because his email was still unverified.

I take this to mean that the CloudFlare system was patched some time between 25th and 27th to stop unverified accounts accessing the API Keys.

Is this the case?

For me it happened on Sept 26th. But there was quite some time between the account creation (8:40 local time) and the API key creation (22:06 local time). So perhaps your colleague was quick enough before the API keys were created. For me it was on a Sunday so I didn’t see both emails before Monday.

For me, the events happened in quick succession:

Signup: 2021-09-25T11:21:51+01:00
API Key view: 2021-09-25T11:24:45+01:00
Rotate API Key: 2021-09-25T11:24:45+01:00
API Key Rotated: 2021-09-25T11:24:46+01:00

The IP Address used is from UAE, but I assume the attacker was using a VPN. The IP Address from my colleagues Audit Log was from Brazil.

I got the following in reply to a ticket we logged on this subject:

Our engineering team has confirmed that they will make changes to the sign up process based on the recent increase of unrecognized sign up reports.

Thank you Cloudflare!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.