The company announced that no customer data was affected, even after attackers used stolen authentication tokens to gain access to Atlassian’s servers, stemming from October’s Okta breach.
Cloudflare announced Thursday that attackers used authentication tokens stolen during a breach of Okta’s support systems last fall to access Atlassian servers in November, but no customer data was affected. .
The company disclosed the incident in a post signed by Cloudflare co-founder and CEO Matthew Prince, CTO John Graham-Cumming, and Chief Security Officer Grant Bourzikas.
“While we understand the operational impact of this incident to be very limited, the attackers used stolen credentials to access our Atlassian servers and retrieve some documents and a limited amount of Because we had access to the source code, we took this incident very seriously,” Cloudflare said. post.
[Related: Cybersecurity Layoffs In 2024: Companies That Cut Jobs In Q1]
Cloudflare in October 2023 Said We notified Okta first of the identity platform provider breach, rather than the other way around. The breach affected data and credentials belonging to some customers who were using Okta’s support case management system, including Cloudflare.
However, in Cloudflare’s case, the threat actors behind the breach “just began targeting our systems using credentials from the Okta compromise in mid-November,” the company said.
On November 23, which was Thanksgiving in the United States, Cloudflare executives announced in a post that a threat actor had been detected on Cloudflare’s self-hosted Atlassian servers.
Cloudflare said its security team blocked access to the attacker and began investigating the incident with the help of CrowdStrike’s forensics team. The investigation was completed on Wednesday and showed that “no Cloudflare customer data or systems were impacted by this event,” the company said.
The threat actor has established persistent access to Cloudflare’s Atlassian servers, as well as access to the company’s source code control system, the vendor acknowledged.
“They did this using one access token and three service account credentials that were obtained after the October 2023 Okta breach and failed to rotate,” Cloudflare executives said. “All threat actor access and connectivity was terminated on November 24th, and CrowdStrike confirmed that the last evidence of threat activity was on November 24th at 10:44 UTC. ”
After all, “we were the victim of a[second]compromise of Okta’s systems, which resulted in threat actors gaining access to a set of credentials,” Cloudflare executives said in the post. , referring to a previous Okta breach in early 2022, said: It also affected the company.
CRN has reached out to Okta for comment.
Cloudflare said the credentials “were all scheduled to be rotated.” “Unfortunately, of the credentials leaked during the Okta breach, one service token (out of thousands) and he was unable to rotate three service accounts.”
Cloudflare attributed the November incident to “a nation-state actor intent on gaining persistent and pervasive access to Cloudflare’s global network.”
The company previously revealed that the Okta breach last fall also saw the names and emails of all support customers stolen. Okta responded with a number of promises, including a promise to delay product and feature releases for 90 days to focus on security.