I am assessing Cloudflare teams for my usecase. I created a team on March 21st with team domain named foo.cloudflareaccess.com (using ‘foo’ to hide the real name here). So I signed up on https://foo.cloudflareaccess.com using my email ID and I got an email to login to the application. I also signed up to the same team on the 22.214.171.124 app on my phone. Everything was fine until March 24th - when I logged into my Cloudflare account (which has 2FA setup btw), I saw two random users under My Team >> Users. I do not know who those users are; nor do I recognize their email IDs. I don’t know how they found out about my team domain and how they were able to sign up. I tried revoking their access, the API call said it was successful, but those users are still there!
Am I missing something in setting up Cloudflare? My goal is to setup Cloudflare gateway account to block malware as described in this article How I over-engineered my home network for privacy and security | Ben Balter
Am I opening my account to some security issues with the way I setup my Cloudflare Team account?
Side notes: At first when I created a Cloudflare teams account my I used a domain name as foo123 and then changed it to foo later.
I do see foo.cloudflareaccess.com/warp under Application URL column under My Team >> Users >> View (next to my user ID) for the user ID I signed up with.