There were no other accounts that were accessed or altered. We manually reviewed all other password reset requests and DNS changes. We were able to revert the change to the customer's account. We have senior contacts at Google who we worked with in order to regain control of the Google Apps accounts (both my personal Gmail account and my account). We were aware of the incident immediately. At that point, the attacker was able to log into the customer's CloudFlare account and change DNS settings to temporarily redirect the site. The hacker was able to access this account in Google Apps and verify the password reset. We sent a copy of these requests to an administrative email account for debugging purposes and, ironically, to watch for invalid password reset requests. The hacker appears to have targeted a particular customer, and initiated a password reset request for the customer's account. Once the attacker had access to my email account, the hacker was able to access our Google Apps administrative panel. We are still working with Google to understand how the hacker was able to reset the password without providing a valid two-factor authentication token. Surprisingly, all accounts use two-factor authentication. The hacker was able to use Google's password recovery and have the password reset sent to my personal email for my address. When we first established 's email address, I listed my personal email address as a recovery email for my account. Like thousands of other companies, CloudFlare uses Google Apps for email. Those instructions were then used to reset my personal email this morning. Once the recovery email address was added, the hacker could then reinitiate the password recovery process and get reset instructions sent to the fraudulent email address. The password used on my personal Gmail account was 20+ characters long, highly random, and not used by me on any other services so it's unlikely it was dictionary attacked or guessed. We're not clear on how the process works, but it appears that weeks after the process was initiated, the hacker somehow convinced Google's account recovery systems to add a fraudulent recovery email address to my personal Gmail account. Google's procedure asks for a number of questions to attempt to verify account ownership. It appears an account request was sent to Gmail for my personal email address. This attack appears to have begun in mid-May. While we are still working with Google to investigate the details, we wanted to highlight it here to make people aware that they too may be vulnerable to similar attacks and provide a full accounting of what happened. The attack was the result a compromise of Google's account security procedures that allowed the hacker to eventually access to my email addresses, which runs on Google Apps. This morning a hacker was able to access a customer's account on CloudFlare and change that customer's DNS records.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |