Leaked Cloudflare API token — DNS + CDN compromise

A Cloudflare API token can grant DNS edit, Workers deploy, zone purge, and more depending on scope. Broad-scope tokens are worst-case domain takeover.

The next 60 seconds matter

The attacker edits DNS records to redirect traffic to attacker-controlled infrastructure (including MX records for email interception), deploys malicious Workers at the edge, purges cache strategically, or revokes your SSL certificates.

  • Redirect traffic via DNS changes (including MX for email interception)
  • Deploy malicious Cloudflare Workers injecting into every response
  • Purge cache during a critical moment
  • Revoke SSL certificates

Rotation playbook

  1. dash.cloudflare.com/profile/api-tokens → Revoke leaked token
  2. Audit Audit Log for token activity in the past 24 hours
  3. Verify DNS records match your expected state
  4. Check Workers deployments for unauthorized scripts

Prevent the next one

  • Use API Tokens with scope minimization (never Global API Key)
  • Scope tokens to a single zone where possible
  • Rotate tokens on team-member departure
  • Enable Cloudflare's Audit Log monitoring
Pattern we scan for
{40 chars alphanumeric}