Cloudflare’s Massive Outage: How One Company Can Break the Internet – Again
For a couple of hours on Friday morning, it felt as if “the internet” itself had crashed. A single provider—Cloudflare—went down, and with it went Zoom calls, LinkedIn feeds, food deliveries, gaming servers and even transport sites millions rely on every day.
Key Points
A major Cloudflare outage briefly knocked out huge swathes of the web, with users seeing 500 errors on services like Zoom, LinkedIn, X, Canva, Fortnite, Deliveroo and more.
Cloudflare stated the incident was not a cyberattack but appears linked to a misconfigured security or firewall update, alongside logging changes rolled out across the global network.
This is the second major Cloudflare outage in a matter of weeks, following a November incident traced to a buggy configuration file.
Cloudflare now sits in front of roughly one in five websites worldwide, making it a “hidden utility” of the modern internet.
Friday’s disruption exposed how internet risk is increasingly concentrated in a handful of infrastructure providers.
For users and companies alike, the outage is a reminder to plan for infrastructure failure, not just classic cyberattacks.
Background and context: The internet’s “hidden utility”
Most people had never heard of Cloudflare until it broke their favourite apps—twice in a month.
Cloudflare is a content delivery network (CDN) and reverse proxy provider. In simple terms, it sits between you and the websites you visit, speeding things up and adding security. When you load a website, there’s a strong chance your request quietly passes through Cloudflare’s network before reaching the actual server.
A few points about its scale:
It is used by a significant share of all websites as a reverse proxy.
It protects a large proportion of the world’s highest-traffic websites.
Millions of internet properties rely on its infrastructure to reach users.
Cloudflare has also expanded into DDoS protection, DNS services, bot management, zero-trust security tools and more. This makes it part accelerator, part bodyguard, part backbone of the modern web.
But it also means that when Cloudflare stumbles, the outage cascades far and wide.
What happened on 5 December 2025?
A wave of 500 errors
On Friday morning, users across the world began reporting that major sites were failing to load. Apps and websites behind Cloudflare started returning 500 Internal Server Error messages—an indication that something was fundamentally wrong server-side.
Services hit included:
Zoom and other video platforms
LinkedIn, X, Substack and publishing tools
Canva, Fortnite, Spotify, Deliveroo and numerous others
Transport information services in the UK, among others
Even outage-monitoring sites struggled, as many of them rely on Cloudflare too.
Duration
The disruption began around mid-morning UK time and eased within roughly 60–90 minutes. For many users, it amounted to an hour or two of broken sites during a busy weekday morning.
What caused it?
Cloudflare stated early on that:
It was not a cyberattack.
The failure appears to be linked to a faulty configuration or security update, including issues in firewall and logging changes that rolled out globally.
In practical terms, a rule update or system change created a cascade of server failures, leading Cloudflare’s network to start rejecting legitimate traffic.
Cloudflare has promised a detailed technical post-mortem—but the broad outline is already clear: a bad configuration propagated at scale.
This wasn’t a one-off: the November outage
Only weeks earlier, Cloudflare suffered another major outage traced to a buggy configuration file pushed to its bot-management systems. That disruption:
Lasted around four hours
Took down high-profile platforms
Was ultimately blamed on a single misconfigured update
Combine that with earlier incidents this year affecting storage and APIs, and a pattern emerges: Cloudflare’s architecture is extremely powerful but increasingly sensitive to configuration risk.
For businesses depending on uptime, that is becoming a strategic concern.
Why it matters: who actually got hurt?
Everyday users
For individuals, the impact was mostly inconvenience:
Broken video calls
Failed logins
Interrupted trading, gaming or streaming
Food deliveries and shopping apps failing to load
Annoying, but not catastrophic. Still, repeated outages erode trust.
Businesses and platforms
For organisations, the stakes are higher:
Lost revenue from failed checkouts
Operational disruption
Customer support spikes
Reputational damage, especially for consumer-facing brands
Because Cloudflare sits invisibly in front of sites, many customers initially blame the business itself, not the infrastructure provider.
Governments and essential services
Transport, information portals and public-facing systems also run through Cloudflare. When they fail, the consequences move from “technical problem” to “public-interest risk”.
This raises uncomfortable questions about whether private infrastructure firms now hold too much systemic power.
Behind the scenes: how a single mis-step breaks the web
One network, many tenants
Cloudflare operates a global anycast network. That means:
Users are routed to the nearest Cloudflare server.
Security and performance rules are applied.
Only then is the request forwarded to the origin server.
The entire architecture is rule-driven. A faulty rule can break thousands of unrelated sites at once.
The configuration challenge
Modern infrastructure relies less on hardware and more on enormous, dynamic configuration files:
Firewall rules
Routing logic
Bot-management settings
Load-balancing scripts
A small change pushed globally can have a huge blast radius if it behaves unexpectedly—exactly what appears to have happened both in November and December.
Concentrated risk
Over time, the internet has consolidated around a few major players. Cloudflare, large cloud providers and key DNS operators now form central arteries of global traffic.
When one of those arteries spasms, the effects aren’t local—they’re planetary.
Big picture: what this outage reveals about internet fragility
The illusion of resilience
Companies often assume they’re resilient because they use multiple servers or cloud regions. But if everything sits behind a single provider’s proxy or DNS service, they have created an unintentional single point of failure.
Software risk is now the main risk
Most modern outages stem from software updates, not hardware events. This shifts the resilience challenge toward testing, staging and rollback systems.
Regulatory questions ahead
Cloudflare’s growing influence raises questions for policymakers:
Should certain infrastructure providers be considered critical national infrastructure?
Should there be formal oversight or stress-testing requirements?
How do regulators prevent systemic choke points?
These debates are gathering momentum on both sides of the Atlantic.
What to watch next
Cloudflare’s detailed post-mortem
A full breakdown will reveal how the failure unfolded and what safeguards the company plans to introduce.
Customer behaviour
Expect more businesses—especially large platforms—to explore multi-CDN strategies or diversify critical services away from single suppliers.
Regulatory signals
Governments may begin formally assessing dependencies on web infrastructure providers, particularly where public services are involved.
Steps organisations can take now
Map all external dependencies, including CDN and DNS layers.
Separate critical paths (payments, login) onto diversified providers.
Test failover plans rather than assuming they will work.
Ensure customer comms and status pages are not tied to the same provider.
Steps individuals can take
Keep offline copies of essential access details.
Maintain more than one communication channel.
Recognise that widespread outages are often infrastructure-level issues, not targeted attacks.
A fragile triumph
Cloudflare enables a faster, safer web. But its influence now creates a paradox: the more the internet relies on it, the more vulnerable the internet becomes when it fails.
The December outage—coming hot on the heels of November’s—shows how a single misstep can cascade across millions of sites. Whether this prompts meaningful change will depend on Cloudflare, its customers and regulators recognising that the internet’s architecture has outgrown some of its assumptions.
If there is a lesson here, it is simple: convenience has a cost, and the modern web is held together by fewer hands than most people realise.
