
Cloudflare R2 is a zero egress-fee object storage similar to Amazon S3. The service offers free data retrieval, S3 compatibility, data replication, and integration with other Cloudflare solutions.
The incident occurred at the end of last week when one of the employees responded to a complaint about a phishing URL on Cloudflare R2.
“During a routine abuse remediation, action was taken on a complaint that inadvertently disabled the R2 Gateway service instead of the specific endpoint/bucket associated with the report. This was a failure of multiple system level controls (first and foremost) and operator training,” – Cloudflare.
In total, the incident lasted 59 minutes; in addition to the R2 object storage, it affected other Cloudflare services, including:
- Stream – 100% of operations (upload & streaming delivery);
- Images – 100% of operations (uploads & downloads);
- Cache Reserve – an increase in requests during the incident window as 100% of operations failed. This resulted in an increase in requests to origins to fetch assets unavailable in Cache Reserve during this period;
- Vectorize – 75% of queries to indexes failed and 100% of insert, upsert, and delete operations failed during the incident window;
- Log Delivery – latency and data losses (up to 13.6% data loss for R2 delivery jobs and up to 4.5% data loss for non-R2 delivery jobs); and
- Key Transparency Auditor – 100% of signature publish & read operations to the KT auditor service failed during the primary incident window.
Some services were affected indirectly resulting in partial outages. For instance, Durable Objects had an increase in errors by 0.09% due to reconnections; Cache Purge, an error rate of 1.8% (HTTP 5xx) and a 10x increase in latency; while Workers & Pages, a 0.002% deployment failure rate affecting only R2-bound projects.

According to Cloudflare, the incident occurred due to both human error and insufficient validation safeguards.
The company has already taken appropriate measures. The possibility to disable systems has been removed from the interface used by abuse remediation personnel. Also, restrictions have been added to the Admin API to prevent internal accounts from disabling services.

2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →