Cloudflare breach lessons: where NHI secret rotation failed

TL;DR: Cloudflare’s breach shows how one missed access token and three service accounts, after the October 2023 Okta incident, enabled lateral movement into Confluence, Jira, and Bitbucket and forced a long secret-rotation campaign, according to Oasis Security. The lesson is that NHI governance fails when inventory, ownership, and rotation speed cannot keep pace with exposed credentials.

NHIMG editorial — based on content published by Oasis Security covering the Cloudflare breach: Securing Non Human Identities: Lessons from the Cloudflare Breach

Questions worth separating out

Q: What breaks when an exposed service account is not rotated after a breach?

A: A missed service account stays usable after the incident that exposed it, which lets an attacker reuse valid access instead of forcing a fresh compromise.

Q: Why do service accounts and access tokens create more breach risk than human accounts?

A: Service accounts often lack MFA, are reused across systems, and remain active long after the person who created them has moved on.

Q: How do security teams know whether NHI rotation is actually working?

A: Rotation is working only if teams can show that every exposed credential was found, replaced, and validated against downstream dependencies without disrupting production.

Practitioner guidance

• Map every exposed credential to a live owner Build a complete inventory of service accounts, tokens, and access keys, then link each one to a named system owner and dependent application before the next rotation cycle.
• Rotate compromised and adjacent NHI credentials together When one identity system is breached, rotate the directly exposed token plus any service accounts that were provisioned through the same trust chain, not just the credential that triggered the alert.
• Block reuse by confirming downstream dependencies Before decommissioning a stale credential, validate every application, pipeline, and integration that still references it so rotation does not leave hidden access paths behind.

What's in the full article

Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:

• A step-by-step account of how the Cloudflare breach unfolded after the Okta compromise and where the missed credentials fit into the chain.
• The operational rotation challenges the team faced while trying to identify and remediate thousands of production secrets.
• Platform context on how the vendor says its NHI management workflow supports safe rotation, prioritisation, and deprovisioning.
• A breakdown of how the article ties secret context, exposure risk, and bulk remediation into one operational process.

👉 Read Oasis Security's analysis of the Cloudflare breach and NHI exposure →

Cloudflare breach lessons: where NHI secret rotation failed?

Explore further

View Full Forum →  |  NHI Foundation Course →