Cloudflare is a web security and performance service. It’s whole purpose is to make your site safer, faster and operate more efficiently using a web master-crowd sourcing methodology. That’s why it was so ironic that it got hacked last week.
In the interest of transparency, and in the spirit of the service itself, Cloudflare explained exactly what happened and how a series of rather unrelated services were exploited resulting in the attack.
And it was a crazy set of circumstances, as Cloudflare explained on the company blog, that came together for a hack. Just to show anything can happen, read the entire episode: It started with a phone company network vulnerability, continued with a GMail account recovery PIN problem, moved onto a Google Apps flaw that let the hacker bypass two-factor identification and finally with all those defenses down, the hacker relied on Cloudflare’s ability to send out transactional emails using BCC.
And there you have it folks. Just that easy. Just that quick. Just a few simple steps and the hacker was waltzing around inside Cloudflare’s systems.
It’s a bit mind boggling actually that anyone would go to all this trouble just to disrupt what is a very useful service. As the Cloudflare introductory video points out, its service provides smaller businesses with the kinds of functionality that is typically only available to big companies with deep pockets.
What could possibly motivate someone to go to all this trouble to take down a valuable service? Apparently because we have a lot of bored hackers out there whose talents could probably be put to better use than mucking about in other people’s systems. Unfortunately, solving puzzles like finding a series of unrelated exploits seems more fun, I guess.
All that aside though, it shows just how vulnerable every site is to attack (as the Cloudflare introductory video clearly points out). Just yesterday came news that LinkedIn had been attacked and passwords stolen. LinkedIn does not appear to have been quite as forthcoming as Cloudflare.
At first, it wouldn’t confirm the attack, then later admitted that it had been attacked and that some passwords had been stolen. Something clearly happened, and unlike Cloudflare, LinkedIn isn’t be completely open about what it was (although they might not know yet).
That’s the typical response to a hack; to circle the wagons, but it’s much better to be upfront with your users and let them know what went wrong. As we’ve seen, this can happen to anyone at any time.
These hackers are clearly relentless, clever and resourceful and they find ways into systems most of us couldn’t even dream of. Until the hackers back off–and that doesn’t seem to be happening anytime soon–secure your sites as best you can and hold on.
And when an attack happens, fess up, clean up and move on.