C(I'm not sure how that is possible since traffic is supposed to be encrypted).Cloudflare decrypts all traffic when it hits it -- otherwise it couldn't really do much, need lots of details on the request to do ddos protection/waf/etc
No matter what website I use, if my email or username contains the phrase "Larwri", I'm bombarded with hcaptcha, SMS verification requirements, and more.Cloudflare doesn't use hcaptcha, nor would it do sms verification stuff, etc. Only real possibility that comes to mind is the Cloudflare WAF does scanning for urls, uploaded bodies, etc, but shouldn't be on a specific term like that, and it would be either an outright block or cloudflare turnstile challenge. I would flip this around and look for other common factors. For example if for all these sites you're using the same IP/connection, or email, those could be flagged, etc.
Discord specifically is a special care/super sensitive. I've gotten their sms verification stuff before suddenly, they've got their own internal flags and stuff that act in interesting ways.
CFor hcaptcha, I thought Cloudflare implemented it per their blog post here, is this no longer the case?No, they use their own solution called turnstile nowadays. It looks like this:
(there's no solving or further interactivity other then clicking a box or waiting for it to solve automagically)
CIf you're getting an hcaptcha it's not directly cf
CThe only other thing that comes to mind is if you were using the same username/password and specific customers were using https://developers.cloudflare.com/waf/managed-rules/reference/exposed-credentials-check/ but idk if that would end up with extra verification like that, I would imagine most sites would just force a reset.
The way most people use Cloudflare's WAF/security stuff and they way they operate is pretty simple. If it was something identified by the WAF as bad, you'd either get a simple block screen (more common, but up to config) or a challenge to pass. There's no magical integration further then that, Cloudflare's side ends there. There isn't a service that involves tracking usernames across sites or anything like that. Maybe if they were all companies which factored in your bot score (ip reputation, or browser related) as a super special integration, but if you say it doesn't happen with other usernames/etc without changing anything else then doesn't match.
I would think it's more likely something else is following you. There's other companies that have services to try to fingerprint you and stop bad accounts, maxmind has DBs and lists for stuff like that, FraudRecord, etc. There's another one a lot of hosting companies use too but I can't think of it..
The way most people use Cloudflare's WAF/security stuff and they way they operate is pretty simple. If it was something identified by the WAF as bad, you'd either get a simple block screen (more common, but up to config) or a challenge to pass. There's no magical integration further then that, Cloudflare's side ends there. There isn't a service that involves tracking usernames across sites or anything like that. Maybe if they were all companies which factored in your bot score (ip reputation, or browser related) as a super special integration, but if you say it doesn't happen with other usernames/etc without changing anything else then doesn't match.
I would think it's more likely something else is following you. There's other companies that have services to try to fingerprint you and stop bad accounts, maxmind has DBs and lists for stuff like that, FraudRecord, etc. There's another one a lot of hosting companies use too but I can't think of it..
LDeleted
