The Four Critical Security Flaws that Resulted in Last Friday's Hack

On June 4th, 2012, Matthew Prince reported a hacking incident that targeted his personal Gmail account and subsequently compromised CloudFlare's email accounts. The hack was made possible by four key security flaws: AT&T redirecting voicemail to a fraudulent box, Google's account recovery process being tricked by the fraudulent voicemail, a flaw in Google's Enterprise Apps account recovery process allowing two-factor authentication bypass, and CloudFlare BCCing transactional emails to some administrative accounts. To mitigate these risks, Prince suggests enabling two-factor authentication using apps like Google Authenticator instead of relying on phone networks, removing phone numbers from Google accounts, and not BCCing password reset messages to administrative accounts. The hack lasted less than 2 hours, with the hackers in Gmail for about an hour and a half, and CloudFlare's email accounts for around 28 minutes.