A suspicious email from Cloudflare

Posted September 23, 2021

I received an email from Cloudflare today about an account that had been created with my email address. Going by the details and the headers, it certainly seemed to have originated from Cloudflare. It looked like someone else had signed up with my details.

An email from Cloudflare with an account verification link reading “Hi. To complete your sign up, please verify your email. Thank you, Cloudflare Team”

Now, it’s worth noting that I do already use Cloudflare to manage this website. The email address I use for that account is hosted separately though, otherwise I’m one DNS mistake away from making my inbox unreachable!

A bit of investigating online later, and it looks like this certainly is malicious behaviour.

Going by this Twitter thread, it seems unverified accounts are able to provision API credentials. Unlike an authenticated browser session, these credentials persist even when you reset an account’s password.

If a target went through the reset flow to gain control of the account created in their name, the attacker would still have near-complete account access with existing API credentials. These would continue to persist until deleted from the account.

I’m not sure why an attacker would target me, but I assume they just got my email as part of a list. Fortunately, it’s straightforward to reset the account’s password (without verifying the email address) and request the account be deleted.

Thanks for reading!

Niko from the video game OneShot

I’m a developer with a passion for web development and automation!

I use this blog to write about my interests. They’re usually tech-related, but there’s also the odd music and gaming piece too.

If you’re wondering, this is Niko from the game OneShot. You should play OneShot.

← A good start for October

Backing up and restoring a self-hosted Plausible instance →