This morning I saw someone created a Cloudfare account on my business address, logged in and created API tokens.
forgot my password to gain access, setup MFA, trash those API tokens and made sure my mailbox wasn’t compromised. It did give me a scare.
It’s exactly like Someone keeps registering for cloudflare using my email addresses but that’s closed as nothing could be done against it.
However there is a huge difference between someone creating an account on accident on a incorrect email address and you would just get a sign up email for it against when someone can use your email address to register and apparently login to create API token. That’s not a mistake, that’s an hack attempt. I don’t know what you can do with that on an empty account, but if you never notice those illegal API tokens before you start using Cloudfare they can control your things using the API, which is a huge risk.
So Cloudfare can and really should do something about this. Email validation should be mandatory before an account gets created at all.