Cloudflare said the service disruption that led to significant customer outages on Tuesday was not the result of a hacker attack.
Outages hit a wide range of online services, including ChatGPT, X, Dropbox, Shopify, and the game League of Legends. The incident has also reportedly caused some disruptions to websites and other digital services associated with critical organizations such as New Jersey Transit, New York City Emergency Management, and the French national railway company SNCF.
Cloudflare initially reported seeing a “spike in unusual traffic”, which led some to believe that the outage may be the result of a cyberattack.
However, Cloudflare CTO Dane Knecht pointed out on Tuesday morning that it was not an attack.
Instead, Knecht said, “a latent bug in a service underpinning our bot mitigation capability started to crash after a routine configuration change we made. That cascaded into a broad degradation to our network and other services.”
“That issue, impact it caused, and time to resolution is unacceptable. Work is already underway to make sure it does not happen again, but I know it caused real pain today,” he added.
Based on Cloudflare’s status page, the company started investigating the incident at 11:48 UTC, and a fix was announced at 14:42 UTC, but some errors were still seen two hours later.
Knecht said Cloudflare would soon share a detailed explanation of why the incident occurred.
Cloudflare regularly blocks significant distributed denial-of-service (DDoS) attacks aimed at its customers, including record-breaking assaults. However, it would likely require significant resources and skills for a threat actor to manage to disrupt Cloudflare’s own infrastructure.
On the other hand, it would not be surprising for some hackers, particularly hacktivists, to falsely take credit for such outages.
Update: Matthew Prince, Co-founder & CEO of Cloudflare, published a blog post with additional details on the incident, adding that it was the worst outage experienced by the company since 2019.
Related: TurboMirai-Class ‘Aisuru’ Botnet Blamed for 20+ Tbps DDoS Attacks
