URGENT security/privacy related bug without any response to my support tickets

What is the name of the domain?

see the ticket

What is the error message?

see the ticket

What is the issue you’re encountering

Two unrelated companies on Cloudflare have linked billing so one company is getting charged for another company’s services. Changing billing info in one company updates the payment info for the other company, and there is no apparent way to unlink them.

What steps have you taken to resolve the issue?

I’ve been urgently emailing support and haven’t heard back for five days. The first response was a canned response by someone who obviously didn’t read anything I wrote.

I’m writing from the account that didn’t open the support ticket but that is being billed for the other company’s services.

I just got another bill for the other company tonight. One company can read invoices from the other company. The companies aren’t related. It’s a huge security and privacy issue.

I’m only bringing this up publicly after 5 days without a response, because I don’t know how else to get anyone’s attention.

Please see case number 01050855 for full details.

What are the steps to reproduce the issue?

See case number 01050855.

@cloonan I see that my post has been edited. Can I get some kind of confirmation that someone at Cloudflare is looking into this security issue quickly?

Two unrelated companies have access to each other’s billing data, and updating the billing information for one company updates the billing information for the other unrelated company.

Whichever company’s credit card is entered in either company gets charged for the unrelated company’s services.

One company is being sent invoices for the other company, leaking private business data.

I have the ability to manage both Cloudflare accounts, but I’m not the only person at these companies. I’m not sure if data has leaked across to other Cloudflare accounts that I’ve managed, because I don’t have access to all of them.

2 Likes

My colleague in Support has alerted the Billing Support team to investigate. I will add myself to the ticket to track progress.

2 Likes

Thank you.

1 Like

The person replying seems to think it’s a billing issue, but it is a security and privacy bug. I hope the right person is looking at it. The security/privacy team should be urgently looking at that right away to fix it and figure out how the data leakage between two separate companies happened in the first place.

Right now, people who are not me literally have unlimited access to bill my card with Cloudflare services and read private invoices from a separate company that they have no relation to.

It went to the Billing Engineering team as it’s related to invoices, that’s the team responsible for invoice creation.

I’m not sure if they are going to be able to solve it. One company has access to the other company’s private data.

How did two unrelated companies get linked in Cloudflare in the first place? I have never linked them (even if there is a way to do that), and there is no way for me to unlink them.

If I update the billing information in one company, the other unrelated company’s billing information gets updated.

This is billing data, but I’ve also been contacted by the sales department where they disclosed private data from one company to the other company that they were calling — a severe privacy violation which should be an impossibility in the system. (I have proof of this in an email thread, because I couldn’t believe it. I complained but it looks like nothing was done.)

Cloudflare should be urgently looking into how something like that could happen in the first place, because it may be happening to other customers without their knowledge.

It has been over 8 days since I reported this problem, and I still haven’t received any confirmation that anyone at Cloudflare has taken a serious look at this or even understands what I’ve been saying.

  • There is a critical security/privacy issue where data is being leaked between two different unrelated companies on Cloudflare.
  • One company is being billed for the other company, still continuing over the past 8 days since I’ve reported the issue.
  • Confidential data is being emailed to the unrelated company from one account.
  • These companies have never been linked (if there is even a way to do that), and there is no way for me to unlink them.

Can someone please urgently fix this? This is the worst security/privacy problem I’ve experienced in almost 25 years of doing this, and it’s incredible that no one at Cloudflare is responding.

Posting duplicate content in this topic will not accelerate the time required for the relevant specialists to investigate. Per the earlier response from Cloudflare staff, this issue is with the support team and you can expect a reply directly to your ticket when there is an update. Thank you for your understanding and your patience.

What kind of response is that to a data leakage bug? I’m being billed for another company’s services and confidential business information is being leaked between unrelated companies with serious consequences for me.

As far as I can tell, no one has investigated. No one from Cloudflare has said, “it’s very concerning that data from one company is being shared with another unrelated company. Please wait while we investigate.”

I’ve only received responses that suggest that the people replying haven’t read anything I wrote or at most just skimmed it.

If somehow this isn’t a bug, it should only take a moment to fix by flipping a switch. If this is a bug, the security/privacy teams should be on it immediately, because it might be affecting other Cloudflare customers. At minimum, the affected accounts should be quickly separated to avoid causing more damage while the problem is investigated.

1 Like

It has been 17 days since I opened this extremely urgent ticket, and I still haven’t received any response from Cloudflare that shows someone has seriously looked at the problem and understands what I’m saying. I’m completely baffled by the lack of response.

There are only two possibilities that I can think of them, and both of them are extremely concerning:

  1. If somehow this isn’t a major security-related bug, it should only take a moment to fix it by flipping a switch to completely isolate the unrelated Cloudflare accounts from each other.
  2. If this is a bug, it’s a massive security/privacy hole in your system that might be affecting other Cloudflare customers, and the slowness in responding to it is very worrying.

Can someone from Cloudflare please look at this and separate the unrelated Cloudflare accounts today? Confidential data is being leaked between unrelated Cloudflare companies, with serious consequences for me.

@cloonan is there someone at Cloudflare that you could contact to find out why nothing is being done about it?

Hello,

We appreciate your patience please take a look at case01050855 for updates from our internal team on this matter. As an update will be posted today by our team.

3 Likes

Thank you. It appears that the accounts are unlinked now.

1 Like