Someone keeps registering for cloudflare using my email addresses

Hi Community!

In the last week, I’ve received two “[Cloudflare]: Please verify your email address” emails from cloudflare to different emails at my company, however I don’t use Cloudflare and didn’t sign up to it.

A few days ago I received one to: [companyname]@gmail.com (a gmail address that I don’t use but which I registered a while ago, just to reserve it). This morning I received one to [email protected][companyname.com].

The emails look legitimate and the activate links do go to cloudflare.

In the first case, I didn’t click any links, went to cloudflare directly, performed a password reset and took control of the account. I’m about to do the same for the [email protected] account, but I want to know why someone is doing this.

Is there some kind of early stage attack under way? Are they probing for something? Why is someone doing this?

I contacted Cloudflare’s support email but haven’t heard back yet. When I received the second account attempt this morning I thought I’d reach out to the community and see if anyone has experienced this before. I can write one off as a mistake, but when it happens again it seems that someone is doing this intentionally.

Do you have any thoughts or suggestions?

Thanks

Fred

The same thing happens to me at various email addresses of mine. Some people just have no clue as to what their actual email address is.

There’s nothing Cloudflare can do about people who do stuff like this.

Mark such emails as spam and forget. Who & Why cannot be found easily, but the best thing you can do is refrain from clicking such links. It could be some kind of email-based hack or a typo error.

Just a datapoint that this happened to me yesterday. I took control of the account today.

What I noticed in the CF audit log:

  • Signup was from an IP address in Kyiv, Ukraine
  • Within 30 seconds an API key was created
  • No other activity was in the audit log until I took control.

If this happens to anyone else, make sure you reset your password, enable MFA, and be sure to remove any API tokens and remove/reset any API keys that were created.

That’s interesting. As it’s been a while, I wonder if an account would go live without email verification.

The exact same thing just happened with me, with an IP address from Brazil.

I asked a reset password and requested to delete the account. It’s weird.

Had the exact same thing happen to me this afternoon.

Received a verification e-mail request out of no where, examined all the e-mail headers and links to make sure it was safe.

Logged into the account, enabled 2FA, checked out audit log to see that a key had been created, viewed and rotated.

Deleted the account for now, but wonder if this is a new type of attack on CF

Same thing happened to me, first thing I saw yesterday was a cloudflare verification email to confirm my account yesterday, when I hadn’t created an account. The IP address in the audit log is apparently from Taiwan. They created a API key, viewed it and logged out.

If the API key doesn’t give them anything, maybe they’re trying to find a security flaws in the API key.

API Key is an easy way to automate adding features to the account. Just about everything one does from the dashboard.

So if they can set up an account, they can configure malicious scripts to add domains, and even content via Pages and Workers.

I’m marking an early response as a Solution and closing this topic, as there’s nothing more to do when this happens.

2 Likes

Hello,

yesterday something similar to this post happened to me:

I initially dismissed the email, seeing it as some rando trying to create an account with my email. Since this was somewhat bothering to me, I tried creating an account on my own, but since the account creation was already in process, I had to reset the password to the newly created – not verified – account.

As I logged in, I enabled MFA via app and checked the logs.

I immediately changed the Global API Key and Origin CA Key. There were no API Tokens, or at least there aren’t any now.

Is it something I/we need to worry about? Does this mean that randos can get a permanent key on an account before it’s verification? Seems like a security hole, I hope I fixed it on my side.

I had the same thing happen and went through the same steps to reset my password, enable two factor auth, and changed my API keys. I’m curious though… if I had verified my email, what could someone have done with my account / DNS records?

I guess nothing, unless you eventually start using the account without resetting the keys. In that case they have an access. But I don’t know, an input from Cloudflare would be great

@mcdado did this happen with the same account you are using here? I can investigate. If not, I’ll reach out to you for more details.

Yes, same login.

1 Like

Same thing happened to me. I’ve now taken ownership of the account and rotated the keys but it’d be nice to somehow verify that there isn’t any other malicious configuration present.

Off the top of my head, I’d say to make sure there are no domains on the account. Then I’d check Workers and Pages to make sure nothing’s there. Beyond that, I can’t think of anything else they’d be able to do with a fraudulent account.

@cloonan I’m also getting multiple reports of this happening to users in organizations that did not have Cloudflare accounts tied to their email address. Ideally, Cloudflare would not finish the user/account creation until after they validate the email as a simple barrier to entry (unless of course they have also compromised the user’s email). Is this something Cloudflare has considered implementing? It’s already the case here in the community forums, which I wouldn’t consider nearly as important as the core Cloudflare platform. Barring that, is there a way to report all the users/accounts/emails this is happening for to Cloudflare so some action could possibly be taken to prevent future bogus/phantom signups?

1 Like

I noticed an email in my spam folder from from a few days ago asking for me to confirm my email address, however I did not create an account using that email address. The IP address in the audit log showed it as being from somewhere in Mexico, so it definitely wasn’t something I did unknowingly.

Cloudflare is a tool I would probably use in the future, so I went ahead and reset the password, rotated the Global API key and Origin CA key, and set up 2FA. The audit log only shows four events from the day the account was created: Signup, API Key created, API Key view, and Rotate API key (in that order). Finally, my session is the only session listed in the active devices and sessions list.

I glanced over the dashboard and:

  • There are no websites on my account
  • I am the only member
  • There is no billing info, billable usage, or subscriptions
  • I see no custom pages or lists
  • No notifications
  • No registrar activity

So my question is: Is there anything else less obvious I should check to ensure my account is secure and isn’t being used maliciously? Is there anything outside of the main dashboard and my account profile that I should check to ensure there isn’t any weird or configurations set? Is there anything else I should pay attention to in terms of reasons someone may have used my email for creating an account?

I hadn’t checked my email in a week, my account was created on the 22nd. According to the audit logs, the account was made from the Dominican Republic and a key was viewed.

Given the number of recent reports, I think it’s likely going off numbers and hoping someone hits verify.