The 5-Minute Cloudflare Token That Cost $50,000
A leaked API token and a weekend of crypto mining. Here's how it happens.
It started with a GitHub commit. Someone pushed their API token by accident, went to sleep, and woke up to $50,000 in Cloudflare bills. This story is more common than you think.
How It Works
Attackers scan GitHub, AWS, and other public repos 24/7 for leaked API keys. When they find a Cloudflare token, they:
- Create workers to mine cryptocurrency
- Spin up compute to crack passwords
- Proxy traffic through your infrastructure
- Sell access to other hackers
Real Example: The Weekend Attack
A startup's Cloudflare token was leaked on Friday afternoon. By Monday morning, they had 500+ workers running, 50TB of bandwidth consumed, and a $47,000 bill. The attacker used their infrastructure to mine crypto and proxy traffic for credential stuffing attacks.
The 4 Token Types and Their Risks
| Token Type | Risk Level | Can Access |
|---|---|---|
| User Token (Global) | Critical | Everything |
| API Token (Custom) | Medium | Scoped per zone |
| Worker Secret | Medium | Single worker |
| Zone-level Token | Low | One zone only |
How to Protect Yourself
1. Never Use Global API Tokens in Code
Create scoped API tokens with minimum required permissions. If you only need DNS, don't use a token that can access Workers.
2. Use .gitignore and GitHub Secret Scanning
Enable GitHub's secret scanning - it detects Cloudflare tokens and alerts you before they become public.
3. Set Up Cost Alerts
Configure alerts for: daily spend exceeding 200% of average, any single transaction over $100, any new worker created.
4. Rotate Keys Monthly
Set a calendar reminder to rotate API tokens every 30 days. Even if one gets leaked, it expires before attackers can use it.
The Bottom Line
A $50,000 bill from a 5-minute mistake is real, and it happens weekly to companies worldwide. The solution isn't paranoia - it's basic hygiene: scoped tokens, cost alerts, and regular rotation.