The internet stretched and stumbled on Tuesday, as millions of users and businesses from Lagos, Nigeria to New York watched their digital lifelines take an unannounced and shocking pause. ChatGPT wouldn’t respond to prompts, X (fka Twitter) refused to load, and even downdetector.com that is known to usually monitor outages itself went out.
There was no warning as Cloudflare, the cybersecurity giant powering one-fifth (20%) of global web traffic, saw a critical part of its network go dark.
What Went Wrong With Cloudflare?
Around 11:20 UTC on Tuesday morning, users began reporting widespread access issues across a broad spectrum of popular services. This included the infamous AI-powered chatbot ChatGPT, X, music streaming service Spotify, collaboration platform Discord, and even popular design tool Canva, among others.
Error messages and service unavailability plagued many, which further sparked a surge of outage complaints across the internet.
This outage went as far as taking out popular online service Downdetector, an online monitor that provides the “realtime overview of issues and outages with all kinds of services” in the company’s words.
Cloudflare, which provides crucial content delivery network and cybersecurity services for 20% of all websites globally, reported that they pinpointed a latent software bug in its bot mitigation system as the root cause.
The issue was then triggered by a routine configuration update that unexpectedly expanded a system file beyond its operational limits, causing widespread internal crashes in key traffic-handling systems.
To salvage Cloudflare’s brand, Dane Knecht, the Chief Technology Officer at Cloudflare took to X to announce that it wasn’t a “[cyber] attack.”
“Transparency about what happened matters, and we plan to share a breakdown with more details in a few hours,” Knecht wrote. “In short, a latent bug in a service underpinning our bot mitigation capability started to crash after a routine configuration change we made. That cascaded into a broad degradation to our network and other services.”
“This was not an attack,” the CTO continued.
The outage’s ripple effects extended beyond tech firms and social networks. Critical public services, including digital operations for New Jersey Transit and other public city functions in New York, also suffered a certain level of disruption.
This highlights the pervasive dependence businesses have on cloud infrastructure providers like Cloudflare for both private and public sector operations, which further amplifies the risk of a widespread outage like this one.
Cloudflare’s position at the core of internet infrastructure means that when its systems and networks falter, a substantial part, if not all part of online activity, is affected.
As such, the magnitude of the November 18 outage places it among the most disruptive internet incidents of 2025, occurring just weeks after other impactful cloud outages from Amazon Web Services (AWS) as well as Microsoft Azure.
So far, these outages collectively illustrate a persistent challenge, which is the inherent risks that are associated with internet centralization and cloud infrastructure, where outages at a few important service providers can create single points of failure, easily spread, and affect the entire internet.
And more importantly, this dependency on a handful of infrastructural players raises important questions about the sustainability and risk management of this model. It is why incidents or outages like this one must serve as both a caution and call to action (CTA).
The tech industry must now consider strategies that may contribute to an increment in redundancy and a reduction in systemic risk to avoid future disruptions of this scale.
