Brinztech Alert: Alleged Data of Cloudflare Users (Session IDs & API Keys) is on Sale

Dark Web News Analysis

A threat actor on a known cybercrime forum is advertising the alleged sale of Cloudflare user data. The dataset reportedly includes “Cloudflare ID Session” tokens, usernames, email addresses, phone numbers, linked card details, and data related to “Professional API export users.” The sale is being conducted via Telegram.

Brinztech Analysis: While the threat actor frames this as a “Cloudflare breach,” the specific data fields—particularly “Cloudflare ID Session” and “linked card details”—strongly suggest this is not a direct compromise of Cloudflare’s backend databases. Instead, this appears to be a highly targeted aggregation of Infostealer Malware logs (e.g., RedLine, Lumma, or Raccoon Stealer) harvested from the infected devices of Cloudflare administrators and developers.

• Session IDs: These are browser cookies stolen from infected endpoints. They allow an attacker to execute a “Pass-the-Cookie” attack, bypassing Multi-Factor Authentication (MFA) to hijack an active session.
• Professional API Export Users: This indicates the attacker has filtered their logs to target high-value accounts—likely DevOps engineers or MSPs—who possess elevated API permissions, granting control over critical web infrastructure.

This incident comes just days after the massive Cloudflare global outage on November 18, 2025, creating a heightened state of alert and confusion that attackers may be exploiting to monetize these credentials.

Key Cybersecurity Insights

This alleged data sale presents a critical and immediate threat to IT administrators:

• Risk of Account Takeover via Session Hijacking: The mention of “Cloudflare ID Session” implies that active session tokens are compromised. Attackers can import these cookies into their own browsers to instantly impersonate a verified administrator, bypassing standard login credentials and 2FA.
• API and Elevated Access Credential Exposure: The inclusion of “Professional API export users” suggests that API keys granting high-privilege programmatic access to Cloudflare services are exposed. This could allow attackers to modify DNS records, disable WAF rules, or redirect traffic for massive phishing campaigns.
• Financial & PII Exposure: The leak includes sensitive personal identifiers and financial information (linked cards), posing significant risks of identity theft and unauthorized billing.
• Supply Chain Impact: Since Cloudflare acts as the “gatekeeper” for millions of websites, a compromised admin account could serve as a beachhead for supply chain attacks against the victim’s downstream customers.

Mitigation Strategies

In response to this claim, all Cloudflare administrators must take immediate action:

• Forced Session Invalidation (TOP PRIORITY): Cloudflare administrators should proactively invalidate all active user sessions via the dashboard to revoke any stolen cookies. Users must then re-authenticate.
• API Key Rotation: Promptly rotate all API keys and tokens, especially those with “Global” permissions or write-access to DNS/WAF settings.
• Endpoint Hygiene Check: The likely source of this leak is infected workstations. IT teams must scan developer and admin devices for infostealer malware and ensure EDR solutions are active.
• Review “Linked” Payment Methods: Verify billing activity for unauthorized transactions and consider removing saved payment methods from accounts that do not require auto-renewal.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com