Cloudflare Thanksgiving 2023: One Unrotated Token, One Atlassian Estate

On 14 November 2023, a threat actor began probing Cloudflare's environment with credentials stolen during the Okta support-system breach the previous month. On 15 November the attacker successfully authenticated to Cloudflare's Atlassian Jira and Confluence using a Moveworks service token and a Smartsheet service account. From there the attacker read 36 Jira tickets and 202 wiki pages — heavily focused on Cloudflare's response to the Okta incident itself — created an Atlassian user for persistence on 22 November, deployed the Sliver C2 framework, and downloaded 76 of 120 viewed code repositories before being detected.

The single architectural fact that drove the outcome was that the stolen credentials were not rotated after the Okta breach because, in Cloudflare's own words, "mistakenly it was believed they were unused." Non-human identities had drifted out of inventory. The attacker, who had the actual list, treated them as live.

Three lessons that apply to every identity programme:

The Okta breach exposed not just human-session tokens but service-account credentials granted into many downstream systems. Any organisation that issued OAuth grants, Bitbucket service accounts, or API tokens to applications that integrate with Okta inherited the breach until those credentials were rotated. The default response to a vendor identity breach should be rotate-then-investigate, not investigate-first.

NHIs need an inventory that survives rotation cycles. The Cloudflare service tokens were on the books; they were not in anyone's mental model of "active". Inventory plus liveness signals would have surfaced the gap.

Persistence-by-credential-creation is now standard tradecraft. The attacker created a new Atlassian user via stolen credentials so that even a credential rotation would not lock them out. Identity-system change detection has to alert on new account creation regardless of the actor performing it.