What happened

The widespread service disruption resulted in millions of users worldwide being unable to access numerous major websites and applications that rely on Cloudflare for content delivery, security, and DNS services.

The incident was characterised by widespread HTTP 5xx errors (server errors) and intermittent failures across Cloudflare’s core network. 

Affected services included the Content Delivery Network (CDN), security services like the Web Application Firewall, authentication (Cloudflare Access), and internal systems like the customer dashboard. Popular services that experienced outages or significant degradation included X (formerly Twitter), ChatGPT, Canva, Spotify, Uber, Zoom, and DownDetector.

The actual harm included massive economic disruption (estimated indirect losses in the hundreds of millions of dollars for the affected businesses), loss of service for end-users, and a temporary halt of business operations for companies dependent on Cloudflare’s infrastructure and security.

Why it happened

The outage was not a cyberattack, but an internal engineering failure. It was directly caused by a routine change to a database system's permissions within a ClickHouse cluster used by Cloudflare.

• AI/automated system role: The change inadvertently caused the database query that generates the configuration file for the AI-powered Bot Management system to output multiple, duplicate entries. This file is used by the system's machine learning model to generate bot scores for every request traversing the network.

• Technical failure: The resulting configuration file more than doubled in size, exceeding a hardcoded size limit within the software (the core proxy) that reads and deploys the file across Cloudflare’s global network. When the software tried to load the oversized file, it experienced a "panic" or crash, leading to a cascading failure across the network.

• Transparency and accountability: Cloudflare was highly transparent in its post-incident report, detailing the root cause and the specific technical steps that led to the failure.
  
  However, the event highlights a latent risk: as AI-driven security and traffic management systems become more complex and integral, a single, automated configuration error can quickly propagate globally and cripple core internet functions.
  
  The incident points to a lack of sufficient automated validation and boundary-checking for critical internal configuration files, demonstrating that even internal data ingestion needs the same scrutiny as external, user-generated input.