|
|
|
|
|
|
by Arathorn
2617 days ago
|
|
|
The rebuilt infra wasn’t compromised; what happened was that we rotated the cloudflare API key whilst logged into CF with a personal account but then masquerading as the master admin user. Turns out that rotating the API key rotates your personal one, not the one you’re masquerading as, and we didn’t think to manually compare the secret before confirming it had the right value. Hence the attacker was able to briefly hijack DNS to their defacement site until we fixed it. We will write this up in a full postmortem in the next 1-2 weeks. |
|
|