One Cloudflare Glitch Took Down Huge Chunks of the Internet — Including ChatGPT and X

With input from AP, NBC News, BBC, Reuters, CBS News, the Guardian, and Axios.

Millions of people woke up Tuesday to the same confusing scene: favorite apps and websites refusing to load, error messages everywhere, and social feeds mysteriously quiet. The common culprit? A single infrastructure company most users never think about: Cloudflare.

Platforms including ChatGPT, X (Twitter), Spotify, Canva, Grindr, Zoom, Coinbase, Shopify, Dropbox, League of Legends, Politico, Axios, Moody’s, New Jersey Transit and even outage tracker DownDetector were hit by the disruption.

Cloudflare first flagged the problem just before 7 a.m. ET, calling it a “significant outage.” By around 9:40 a.m. ET, the company said it had deployed a fix and believed the issue was resolved, though some services stayed glitchy as traffic ramped back up.

“Given the importance of Cloudflare’s services, any outage is unacceptable,” the company said, apologizing “to our customers and the Internet in general for letting you down today.”

Most people never visit Cloudflare’s website, but they use its services constantly.

Cloudflare:

• Sits between users and websites as a content delivery and security layer;
• Handles traffic for an estimated 20% of all websites worldwide;
• Helps sites load faster by routing visitors to nearby servers;
• Blocks bot traffic and protects against DDoS attacks (floods of junk traffic meant to knock sites offline);
• Checks whether visitors are human, not automated scripts.

Think of it as a giant traffic cop and shield for the internet. When it works, everything feels normal. When it breaks, a significant chunk of the web gets snarled at once.

That’s why outages like this feel so dramatic: a few companies — Cloudflare, Amazon Web Services, Microsoft Azure, etc. — quietly sit underneath huge parts of the digital economy. When one stumbles, millions of users feel it immediately.

This time, it wasn’t hackers. It was a bug and a bad file.

Cloudflare says the outage was triggered by a configuration file that’s automatically generated to manage “threat traffic” — basically, rules for filtering and blocking suspicious activity.

That file:

• Grew far larger than expected;
• Overloaded the software system that handles traffic for multiple Cloudflare services;
• Caused widespread “500 internal server” errors and messages like “please unblock challenges.cloudflare.com to proceed” across the web.

In other words, the very systems meant to protect sites from malicious traffic accidentally tripped over their own weight.

Cloudflare stressed there is “no evidence” this was caused by an attack or any malicious activity. It was a self-inflicted technical failure.

Engineers deployed a fix and started bringing services back online. The company warned that some customers might still see higher error rates for a bit as systems stabilized and traffic surged post-outage.

Pretty big.

Outage trackers like DownDetector showed:

• Tens of thousands of user reports across major platforms within minutes;
• A spike in problems with X, ChatGPT, Spotify, League of Legends and many others;
• Even DownDetector itself experienced errors, since it also relies on Cloudflare.

In some cities, the disruption spilled into real-world services:

• New Jersey Transit and French rail operator SNCF reported issues with schedules and online information.
• New York City Emergency Management said it was monitoring potential impacts to city services, though no major emergency systems appeared to go fully offline.

Cloudflare’s stock fell roughly 2–3% in morning trading after the incident.

Tuesday’s outage is the latest reminder of how concentrated internet infrastructure has become.

Just in the last few months:

• Amazon Web Services suffered a major outage that disrupted Snapchat, Reddit, Medicare systems, banking apps, social networks, and more.
• Microsoft Azure glitches temporarily knocked out access to Office 365, Minecraft and other services.
• In 2024, a botched CrowdStrike update caused one of the largest IT incidents in history, affecting airlines, hospitals and governments globally — all from one software vendor’s mistake.

As one cybersecurity expert put it, companies like Cloudflare have become “single points of failure” for enormous portions of the web. They exist to keep sites safe from attacks and overloads — and they generally do. But when something goes wrong at their level, it’s like a digital traffic jam on a planetary scale.

Or as another analyst put it: Cloudflare is “the biggest company you’ve never heard of.” Until a morning like this, when half your apps stop working and you suddenly learn its name.

All signs so far say no.

• Cloudflare says there’s no indication of a DDoS or any other attack.
• Network analysts monitoring traffic patterns say they saw no evidence of a malicious flood.

Instead, this appears to be exactly what tech companies dread and users rarely think about: a routine security and traffic management system misbehaving in a very non-routine way.

• A bugged configuration file inside Cloudflare — not hackers — broke a key part of its traffic system.
• That briefly knocked out or degraded access to a long list of major sites and apps, from X and ChatGPT to transit systems and news sites.
• The issue has now been fixed, though Cloudflare says it’s still monitoring and will conduct a full postmortem.

The company says it will “learn from today’s incident and improve.” Given how much of the modern web runs through its pipes, a lot of the internet will be hoping that’s true.