Strange domain added to my account bypassing 2 factor authentication

I received an email that a strange domain was added to may account. However, I have 2 factor authentication enabled and I am the only one with access to the account. If I look at the access logs, you can see where somebody added to the domain and set it up, but there is strangely no record of them logging in. I have contact Cloudflare support, but they have been no help and don’t seemed concerned.

Can you post a screenshot of the respective entry in the audit log?

I marked where the entry should be for them logging in, but there is no entry.

What if you click the entry? Which IP is it?

The IP Address is for Dreamhost, where the site is hosted I am assuming.

So you dont recognise that address? That could have been a VPN. The fact there is no login is a bit weird and could point towards a session re-use, but that is speculation.

At this point you best contact support and have them have a look at it.

No, I don’t recognize that address. It is strange and points to a clearly spamy domain. They somehow bypassed 2 factor auth, which is the main concern I have.

I did contact support and they didn’t seem concerned.

There is nothing the community can do. You can only reopen the ticket and ask for clarification.

That is why I asked a question in the community in the first place is support was not really an help.

:wave: @apnm,

It’s possible that your API key was used to provision this domain using Cloudflare’s partner API. Given that the domain is in partial mode that’s likely how it was provisioned… if you have/had a zone on Dreamhost and it was ever connected to Cloudflare it’s possible that the account was compromised there.

Rotation of your API key may be in order; information about how/when your account was used on Dreamhost to provision a new domain would be held by Dreamhost.


1 Like

I am afraid, as I said, that is an issue the community cannot look into or do anything about. You do depend on support here.

Such a request should be accordingly flagged with an “API” value as interface in the audit log, which appears to be absent, though it should contain at least “UI”. However it could explain the missing login.

This is a good idea. I will look into this. Thank you.

This topic was automatically closed after 30 days. New replies are no longer allowed.