Cloudflare R2 is a zero egress-fee object storage similar to Amazon S3. The service offers free data retrieval, S3 compatibility, data replication, and integration with other Cloudflare solutions.
The incident occurred at the end of last week when one of the employees responded to a complaint about a phishing URL on Cloudflare R2.
“During a routine abuse remediation, action was taken on a complaint that inadvertently disabled the R2 Gateway service instead of the specific endpoint/bucket associated with the report. This was a failure of multiple system level controls (first and foremost) and operator training,” – Cloudflare.
In total, the incident lasted 59 minutes; in addition to the R2 object storage, it affected other Cloudflare services, including:
- Stream – 100% of operations (upload & streaming delivery);
- Images – 100% of operations (uploads & downloads);
- Cache Reserve – an increase in requests during the incident window as 100% of operations failed. This resulted in an increase in requests to origins to fetch assets unavailable in Cache Reserve during this period;
- Vectorize – 75% of queries to indexes failed and 100% of insert, upsert, and delete operations failed during the incident window;
- Log Delivery – latency and data losses (up to 13.6% data loss for R2 delivery jobs and up to 4.5% data loss for non-R2 delivery jobs); and
- Key Transparency Auditor – 100% of signature publish & read operations to the KT auditor service failed during the primary incident window.
Some services were affected indirectly resulting in partial outages. For instance, Durable Objects had an increase in errors by 0.09% due to reconnections; Cache Purge, an error rate of 1.8% (HTTP 5xx) and a 10x increase in latency; while Workers & Pages, a 0.002% deployment failure rate affecting only R2-bound projects.
According to Cloudflare, the incident occurred due to both human error and insufficient validation safeguards.
The company has already taken appropriate measures. The possibility to disable systems has been removed from the interface used by abuse remediation personnel. Also, restrictions have been added to the Admin API to prevent internal accounts from disabling services.
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →