Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

Cloudflare’s Okta-Linked Security Breach

Executive Summary

Cloudflare, a prominent web infrastructure company, recently disclosed that a likely nation-state cyberattack targeted the company. During this security breach, attackers used stolen credentials to gain unauthorised access to Cloudflare’s Atlassian server. As a result, they were able to access sensitive documentation and a limited portion of the source code.

Cloudflare acknowledged that the breach was a result of their failure to promptly rotate the compromised credentials obtained from the earlier Okta breach. However, they also stated that the operational impact of the breach was minimal.

This incident highlights the importance of timely credential rotation and robust security measures in the face of an ever-evolving cyber threat landscape.

What Happened

In late 2023, Cloudflare faced a major security breach when malicious actors gained unauthorised access to the company’s systems. These attackers exploited credentials compromised during an earlier breach of Okta’s support case management system in October 2023.

The attackers initiated their intrusion on November 22, initially gaining access to Cloudflare’s Atlassian server. Subsequently, they established persistent access using ScriptRunner for Jira. They also managed to penetrate Cloudflare’s source code management system, which relies on Atlassian Bitbucket.

Cloudflare detected the breach after the attackers had already infiltrated its infrastructure.


Despite the severity of the breach, Cloudflare reported that its operational impact was “extremely limited.”

The attackers were able to access some documentation and a limited amount of source code. However, the company’s services, network, and configurations remained unaffected. Nevertheless, the attackers reportedly had a specific interest in Cloudflare’s network architecture, security protocols, and management systems.

Root Cause

The breach can be attributed to Cloudflare’s failure to promptly rotate the compromised credentials obtained from the earlier Okta breach. The assumption that these credentials were unused turned out to be a costly oversight.

These credentials included one access token and three service account credentials associated with Amazon Web Services, Bitbucket, Moveworks, and Smartsheet.


Upon discovering the breach on November 23, Cloudflare initiated a response plan, which included the following measures:

  • Rotation of over 5,000 production credentials to revoke unauthorised access.
  • Isolation of test and staging systems to prevent any further compromise.
  • Forensic examination of nearly 5,000 systems to identify the extent of the breach.
  • Refreshing all affected systems, including Atlassian servers and those accessed by the attackers.
  • Ensuring the security of the affected data centre by returning equipment to manufacturers for thorough checks.

In addition to these measures, Cloudflare engaged the services of cybersecurity firm CrowdStrike to perform an independent assessment of the incident. CrowdStrike’s involvement added an extra layer of expertise to the investigation and remediation efforts.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.