Contas de e-mails do CloudFlare são invadidos. Falha na Verificação em 2 etapas do Google Apps/Gmail?

Na manhã do dia 1º de julho um hacker obteve acesso à uma conta de cliente de e-mail do CloudFlare e modificou os registros DNS dele. O ataque permitiu que ele tivesse acesso aos endereços de e-mail da empresa na qual rodam sobre o ambiente Google Apps. Enquanto o Google estava investigando os detalhes, a CloudFlare imediatamente alertou à todos sobre o ocorrido.

O que mais nos chama atenção à esse incidente é que o hacker foi capaz de driblar a funcionalidade Verificação em 2 etapas (2-Step Authentication), resetar a senha da conta administrativa e por fim acessar o painel administrativo do Google Apps.

O ataque em si serviu para o acesso à uma conta de um cliente do CloudFlare, por precaução a empresa resetou todas as chaves API dos clientes e alertou à todos como vocês poderão ler logo abaixo:

Dear xxxxxxxx:

On Friday, June 2, 2012 CloudFlare’s email system was targeted by a hacker. CloudFlare uses Google Apps for Business to manage its corporate email. Through a flaw in the Google Apps account security process, involving their system to recover lost accounts, the hacker was able to briefly access the contents of some CloudFlare employee email accounts. It is our policy to be transparent about incidents like this, so you can read a full writeup of the incident on our blog:

We have conducted an audit of all our systems. We have not uncovered any evidence that the hacker was able to obtain CloudFlare’s core systems or access our database. We have also been assured by Google that they have discovered and patched the flaw in their systems that allowed this attack. That said, we still consider this a serious incident. The email accounts that were accessed contain copies of many customer service tickets and CloudFlare invoices, some of which may have contained information like your email address. We are working with Google to determine exactly what messages were accessed during the approximately 30 minutes that the hacker had access to CloudFlare email accounts.

We wanted to make clear that even if the hacker had unfettered and prolonged access all data contained in the emails, the following pieces of data would still be secure:

  • Credit Card Numbers: which are not stored on our servers, never emailed, and cannot be retrieved even by our own administrative staff.
  • Account Passwords: which are hashed, not stored in plain text, never emailed, and cannot be retrieved even by our own administrative staff.
  • DNS Zone Information: which is never emailed.

Because some users’ API keys did appear in the email accounts and customer service tickets, we have taken the precautionary step of reissuing new API keys. If you are using an API key to access the CloudFlare WordPress plugin or other service, you will need to get your new API key from your CloudFlare Account Page and reenter it for the service to continue to work.

Finally, if you are a Google Apps or Gmail user, we strongly recommend you establish two-factor authentication on your account and any accounts that are setup to be allowed to process an account recovery. While Google has assured us that this security flaw has been patched, this incident underscores the importance of maintaining the highest possible security on your email accounts.

We take these incidents very seriously. Please do not hesitate to reach out to us if you have any questions.

The CloudFlare Team