“The attack was the result a compromise of Google's account security procedures that allowed the hacker to eventually access to my CloudFlare.com email addresses, which runs on Google Apps,” Matthew Prince , the co-founder and CEO of the company said in the statement.
“The password used on my personal Gmail account was 20+ characters long, highly random, and not used by me on any other services so it's unlikely it was dictionary attacked or guessed,” he added.
Surprisingly, all CloudFlare.com accounts use two-factor authentication. " We are still working with Google to understand how the hacker was able to reset the password without providing a valid two-factor authentication token."
After analyzing the incident, Google’s security team has determined that “a subtle flaw in the recovery flow” of certain accounts allowed the hackers to compromise the account.
This is where UGNazi steps in. The hackers claim that Prince and Google are both wrong.
“Nah. There’s no way you can social engineer a Google App. I don’t know what he was talking about. We did get in his emails though: matthew@cloudflare.com and mprince@gmail.com,” Softpedia quoted Cosmo, a member of UGNazi, as saying.
“We got into their main server. We could see all customer account information, name, IP address, payment method, paid with, user ID, etc. and had access to reset any account on CloudFlare,” Cosmo added.
Furthermore, the hackers plan on selling all the information they obtained on Darkode.
"the owner Matthew Prince thinks it’s secure. It’s obviously not, implying we got access into the main CloudFlare server today." The hackers stated as the reason for the attack.
