14 DAY TRIAL // There has been somewhat of a controversy surrounding the data breach that affected CloudFlare last week, especially since the hackers’ statement doesn’t quite match the one of the website’s CEO and co-founder Matthew Prince. To further clarify things, Prince contacted us and provided other details.
“While we do not want to downplay the significance of the incident, we're confident that the breach was contained to the Google Apps email system and the hacker did not access any CloudFlare servers,” he explained.
“We have worked with Google's security team to help them close a account reclamation vulnerability that allowed the hacker to bypass Google's two-factor authentication system.”
The CEO states that the user account breached by the hackers belongs to Chris Pole, the owner of 4chan, another site recently targeted by the controversial UGNazi.
Apparently, by gaining access to Pole’s account, the hackers were able to disrupt 4chan.org for a short period of time, as we reported last week.
“I have 100% confidence in CloudFlare's security, believe this was an isolated incident and that CloudFlare dealt with it swiftly and professionally,” Pole said after the incident.
Prince explained for Softpedia that the hackers would have been able to gain access to the data they mentioned, including customer IP addresses, payment methods, and email addresses used for signup. However, they could have accessed this information without breaching the “main server” and the website’s database.
“While the hacker had access to my email they would have been able to reset passwords on accounts as we previously sent a copy of password reset emails to certain administrators. We have eliminated this practice in case our Google Apps account is compromised in the future.”
One important thing highlighted by CloudFlare’s co-founder is the fact that UGNazi couldn’t have been able to obtain credit card numbers and user account passwords. The credit card details are not stored on the company’s servers and they’re never sent via email.
As far as the passwords are concerned, they were hashed, each with a unique salt. Also, similar to the credit card details, they were never sent to customers via email.
“In some cases, the hacker may have had access to API keys associated with customer accounts. As a precaution, yesterday we reset all the API keys for customers that had previously generated them,” Prince concluded.
Now comes the even more interesting part. According to the latest update posted on the CloudFlare blog, the co-founder claims that AT&T may have been compromised, possibly through the social engineering of the company’s support staff, this being the first event that triggered the entire incident.
In this case, if the attacker is in possession of the victim’s phone number and the number is associated with the Google account for recovery, the PIN is the only data that stands between the hacker and the account.
However, by relying on social engineering, the hackers could have bypassed the security measures enforced by the PIN.
CloudFlare is currently working with AT&T on clarifying the issue.