PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Cloudflare Foils SMS Phishing Attack With Security Keys

Cloudflare is warning the culprits have targeted multiple companies, including Twillo, which reported a breach from the SMS phishing scheme.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

Internet infrastructure provider Cloudflare says it stopped a phishing scheme from compromising the company's network, thanks to the hardware-based security keys it issued to all employees. 

According to Cloudflare, the attempted hack was likely part of the same SMS phishing scheme that breached Twilio, which the company publicly disclosed on Monday. 

“Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees,” Cloudflare wrote in a blog post on Tuesday. "This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached." 

Both Twilio and Cloudflare are now warning that the SMS phishing scheme is targeting staffers at multiple companies. The attack arrives via SMS messages that pretend to come from the employer itself. In Cloudflare’s case, the hackers duped three employees into typing their company passwords into a fake login form. 

The fake login form the hackers used.
The fake login form the hackers used.

But even so, the attackers failed to breach Cloudflare because of those security keys. Unlike two-factor authentication codes, which can be shared online, a hardware key is a physical device. It's often designed to slot into a PC's USB drive, and adds an extra step in the login process, which can't be digitally phished.

Recommended by Our Editors

Google Will Soon Spot Fake Calls on Supported Android Phones
Google Will Soon Spot Fake Calls on Supported Android Phones
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts

In Cloudflare's case, this meant the hackers couldn't break in, unless they could physically steal a security key from one of the phished employees. “While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement,” Cloudflare says.

At least 76 Cloudflare employees received the SMS phishing messages from the attackers. The messages specifically said: “Alert!! Your Cloudflare schedule has been updated, Please tap cloudflare-okta.com to view your changes.” However, the cloudflare-okta.com was actually a hacker-controlled domain hosting a fake login page capable of stealing passwords. 

The phishing message
The SMS messages the hackers sent to Cloudflare employees.

The phishing technique was also designed to defeat two-factor authentication systems. Cloudflare points out the attacker’s fake login page can display a prompt for the time-based, one-time passcodes. “The employee would then enter the TOTP code on the phishing site, and it too would be relayed to the attacker,” the company said. “The attacker could then, before the TOTP code expired, use it to access the company’s actual login page.”

It remains unclear who was behind the SMS phishing scheme and how they gained access to mobile phone numbers belonging to so many Cloudflare employees. But Cloudflare's data shows the attacker used a Windows 10 machine running Mullvad VPN during the failed login attempts.

The company added it hasn’t experienced a breach since it rolled out hardware security keys to all employees. For more information on how security keys work, check out our reviews.

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio