CloudFlare boss’s Gmail hacked in redirect attack on 4Chan

CloudFlare says only one customer affected; hackers say many more are and details will be sold.

Content distribution network CloudFlare reset all its customer API keys over the weekend after its CEO’s personal and corporate Gmail was breached in an “elaborate” attack on one customer, which appears to have been the 4Chan message board.

According to CloudFlare CEO Matthew Prince, "a hacker" last Friday exploited a “subtle flaw” in Google App’s Gmail password recovery process, allowing them to break into his personal account, breach his Gmail address, bypass Gmail’s two-factor authentication (TFA), and redirect one customer’s website.

UGNazi, the hacker group that claimed credit for the huge breach at billing software provider WHMCS, has also laid claim to the attack on CloudFlare, according to a report by <i>Softpedia</i>.

Prince said on Saturday Google confirmed there was a “subtle flaw affecting not 2-step verification itself, but the account recovery flow for some accounts.” Google said it had now blocked that attack vector.

Prince did not use Gmail’s TFA for his personal account, however, the company did for all its Gmail accounts. Prior to Google’s confirmation, Prince was alarmed that TFA didn’t prevent’s accounts becoming compromised since it “should have prevented this attack, even if the attacker had the password.”

It’s unclear from Prince's explanation how the attacker "somehow convinced Google's account recovery systems to add a fraudulent recovery email address to my personal Gmail account", however once it was compromised he said the attacker was able to use the password recovery feature for his Gmail account to access his corporate email.

Prince said that no customer credit card details were exposed since those details never pass through its servers but go straight to a billing provider, and that “it appears” the attacker had not accessed its core database or seen additional client data.

However, a claim was made on the Twitter account of UGNazi member Cosmo that UGNazi had "gained full access into Cloudflare's server and obtained the database", in a post flagging that 4Chan was redirected to the UGNazi Twitter account.

Cosmo also told Softpedia that UGNazi did access CloudFlare's main server, could see all customer account information, including names, payment methods, user IDs, and had access to reset any account on CloudFlare. The hackers said they planned on selling the information on Darkode.

Cosmo also said Prince's explanation that the attacker "convinced" Google's account recovery, was bogus, adding that there was "no way you could social engineer a Google App."

On Saturday Prince said CloudFlare found that some customer API keys were present in the “email accounts that were compromised”, which was why it reset all API keys for things such as CloudFlare WordPress plugin.

“In order to ensure they could not be used as an attack vector, we reset all customer API keys and disabled the process that would previously email them in certain cases to CloudFlare administrator accounts,” said Prince.

Despite the “troubling” realisation that Gmail’s two-factor authentication failed to prevent the attack when it should have, Prince urged others to use it and said he has since turned the feature on for his personal account.

Also, even though the password reset process was used to compromise Prince’s 20+ character, unique and randomised password, he encouraged others to use an “extremely strong” password for email and to “change any password recovery email to an account that you do not use for anything else and cannot easily be guessed by a determined hacker.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about etworkGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts