I had a domain with a website. I deleted the website (hosting and A record) and removed the domain from CF. I kept the nameservers just in case I need to go back in the future. BIG MISTAKE! Someone between June or July added my domain to his account and created a redirect to his illegal website. Now Google results of my old website are filled with auto-generated text and URLs. Fortunately I discovered that and deleted the NS in my registrar, so any link is down now.
CF says that that’s not possible because when someone tries to add a domain that already has CF nameservers it requests to change them to another random pair.
I ask CF security team to investigate the account that currently has the domain miniver.org. The nameservers where never changed: eva.ns.cloudflare.com & mark.ns.cloudflare.com
Besides that, how is it possible to add domains to my account that are not mine?
I searched WHOIS Search, Domain Name, Website, and IP Tools - Who.is and found a domain that has the same nameservers. I was able to add it to my account, although CF said that NS update was pending. I also was able to see the real IPs of that domain.
If your nameservers point to Cloudflare and the domain is not added to an account, that creates a security risk. Is it not “easy to hack Cloudflare accounts”, this is not an account compromise. It is never safe to point a domain to nameservers that you do not control. If you remove the domain from your account, you no longer control them.
If your domain is active in an account with a nameserver pair, that pair will not be assigned to anyone else trying to add the same domain because you control it. As soon as you remove the domain, you no longer control that.
You can add any domain, it does not mean that it will become active in your account. If it’s active on another account, you will be assigned a different nameserver pair to get it working on your own.
Can anyone explain why these hacked domains have different NS in the registrar from those assigned by CF?
intodns.com/persianup.com persianup.com, oynabet30.com, prosportsaddicts.com (just to mention a few)
You can see a pattern: abandoned domains with CloudFlare nameservers that redirect to other website. Also they have thousands of indexed pages with spinned text.