Cloudflare outage that disrupted internet blamed on configuration error

Tuesday's Cloudflare outage that briefly took down X, ChatGPT and many other sites worldwide, was mostly resolved by 10 a.m. Eastern.

Cloudflare reported that the outage began around 6.30 a.m. Eastern and was caused by an automatically generated configuration file that was designed to manage potential security threats.

While not declared a cyberattack, today's Cloudflare outage — much like the CrowdStrike outage in July 2024 and the AWS incident last month — demonstrated how interconnected businesses are today and how an outage can wreak havoc on business processes short-term.

“These are warnings about systemic fragility,” says Davik Utzke, a former U.S. Treasury cybercrimes technologist. “Several outages this year demonstrate how reliant we’ve become on these centralized networks — and how quickly that dependency becomes a vulnerability.”

Utzke pointed out that security pros were concerned about the outage because Cloudflare keeps websites online during cyberattacks or heavy loads.

"Following the recent AWS outage, this new Cloudflare incident is a second reminder that 'cloud' does not automatically mean perfect resiliency and failover,” said Tim Erlin, security strategist at Wallarm. “Relying on any single provider introduces risk, and you are ultimately responsible for accepting, mitigating, or transferring that risk for your own organization. Availability can be impacted by both security incidents and infrastructure failure, which means that protecting uptime is the responsibility of both functions."

Sagy Kratu, senior product manager at Vicarius, said the Cloudflare outage was a stark reminder of how fragile the modern internet has become. A single malfunctioning configuration file was enough to take X, ChatGPT, Spotify, and thousands of businesses offline in minutes, said Kratu.

“When one provider’s internal failure can ripple across the global web, it exposes a structural weakness we’ve collectively ignored for too long,” said Kratu. “The next generation of security and infrastructure platforms must keep operating when their upstream cloud dependencies choke, not after. Outages like this aren’t anomalies, they’re signals that our architectures need to evolve before the next domino falls.

Mayur Upadhyaya, chief executive officer at APIContext, added that when core infrastructure providers like Cloudflare experience a disruption, it isn’t just websites that go down: entire machine-to-machine workflows stall. In an internet increasingly run by APIs and automation, Upadhyaya said resilience isn’t just about uptime, it’s about knowing when critical services are degrading.

“The outage highlights why regulators like the EU and UK are doubling-down on frameworks like DORA and the Cyber Security and Resilience Bill, which demand observability across the full delivery chain, from DNS to CDN to application logic,” said Upadhyaya. “Enterprises need to move beyond internal logs and embrace outside-in testing to baseline normal behavior and catch anomalies before users, or machines, feel the impact." 

Chad Cragle, chief information security officer at Deepwatch, added that today’s Cloudflare outage reminds us that not only attackers can take down the internet: sometimes, all it takes is a bug or a routine change. While this can happen to any company, Cragle said the larger the provider and the broader their dependency footprint, the more critical a strong business continuity discipline becomes.

“For the industry, the future must involve building architectures that anticipate third-party failure,” said Cragle. We must plan for the fragile parts of the ecosystem and ensure that the blast radius of any single provider never results in an industrywide outage, as we have now witnessed three times in just a few months.”