
Cloudflare R2 is a zero egress-fee object storage similar to Amazon S3. The service offers free data retrieval, S3 compatibility, data replication, and integration with other Cloudflare solutions.
The incident occurred at the end of last week when one of the employees responded to a complaint about a phishing URL on Cloudflare R2.
“During a routine abuse remediation, action was taken on a complaint that inadvertently disabled the R2 Gateway service instead of the specific endpoint/bucket associated with the report. This was a failure of multiple system level controls (first and foremost) and operator training,” – Cloudflare.
In total, the incident lasted 59 minutes; in addition to the R2 object storage, it affected other Cloudflare services, including:
- Stream – 100% of operations (upload & streaming delivery);
- Images – 100% of operations (uploads & downloads);
- Cache Reserve – an increase in requests during the incident window as 100% of operations failed. This resulted in an increase in requests to origins to fetch assets unavailable in Cache Reserve during this period;
- Vectorize – 75% of queries to indexes failed and 100% of insert, upsert, and delete operations failed during the incident window;
- Log Delivery – latency and data losses (up to 13.6% data loss for R2 delivery jobs and up to 4.5% data loss for non-R2 delivery jobs); and
- Key Transparency Auditor – 100% of signature publish & read operations to the KT auditor service failed during the primary incident window.
Some services were affected indirectly resulting in partial outages. For instance, Durable Objects had an increase in errors by 0.09% due to reconnections; Cache Purge, an error rate of 1.8% (HTTP 5xx) and a 10x increase in latency; while Workers & Pages, a 0.002% deployment failure rate affecting only R2-bound projects.

According to Cloudflare, the incident occurred due to both human error and insufficient validation safeguards.
The company has already taken appropriate measures. The possibility to disable systems has been removed from the interface used by abuse remediation personnel. Also, restrictions have been added to the Admin API to prevent internal accounts from disabling services.

2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →