At 2:22 p.m. UTC on Friday, November 21, 2025, the internet hiccuped—and for nearly an hour and a half, millions of users couldn’t reach their favorite apps. A misconfigured update at Cloudflare, Inc., the internet infrastructure giant based at 101 Townsend Street in San Francisco, triggered a cascading failure across its global network. Services like Discord, Notion, and Feedly went dark or slowed to a crawl. The outage wasn’t a cyberattack. It wasn’t a power surge. It was a human error—during a routine maintenance window—bypassing safeguards meant to prevent exactly this.
How a Single Line of Code Took Down the Internet’s Backbone
The root cause? A faulty BGP (Border Gateway Protocol) update pushed at 14:18 UTC. According to John Graham-Cumming, Cloudflare’s CTO, the change was designed to improve cache efficiency. Instead, it caused 98.7% of Cloudflare’s edge servers to stop announcing their routes. Think of it like a city’s traffic lights suddenly going dark—cars (data packets) keep coming, but no one’s telling them where to go. By 14:22 UTC, the failure had spread across 300 cities in over 100 countries. Cloudflare’s own telemetry showed 3.2 million unique IP addresses affected. Peak complaints on Downdetector hit 127,483 at 14:35 UTC.
“It wasn’t a DDoS,” Graham-Cumming clarified in a post-mortem. “It was a configuration that failed open.” That means the system didn’t shut down—it just stopped functioning, letting traffic flow into a black hole. The fix? Roll back the change. It took 85 minutes to restore full service, with the last nodes coming back online at 15:47 UTC.
Who Got Hit—and Who Didn’t
The outage didn’t spare anyone using Cloudflare’s CDN or DNS services. Discord users couldn’t send messages or join voice calls for over 80 minutes. Notion teams lost access to shared documents. Feedly readers couldn’t load their news feeds. Even Khan Academy, used by hundreds of thousands of students during school hours, had a 12-minute interruption during a live class.
But not everyone was affected. Amazon.com, Inc. and Shopify Inc. reported zero downtime. Why? They use multiple CDNs—Cloudflare isn’t their only lifeline. That’s the lesson here: over-reliance on a single provider is a systemic risk.
The Black Friday Fallout
The timing couldn’t have been worse. This outage hit during the critical window before Black Friday, when online retailers ramp up traffic and rely on Cloudflare’s DDoS protection and speed optimizations. Palo Alto Networks, Inc. estimated losses exceeding $150 million across affected businesses—not just from lost sales, but from customer trust erosion and support overload. Smaller e-commerce shops using Cloudflare as their sole CDN likely saw sales vanish in real time.
“We saw cart abandonment spike 400% in the first 20 minutes,” said one anonymous Shopify merchant who used Cloudflare for their storefront. “Customers thought the site was broken. They didn’t know it was the middleman.”
Why This Isn’t the First Time
Cloudflare’s last major outage was June 24, 2022—27 minutes, 1.3 million sites affected. In response, they built better safeguards. So how did this happen? A new deployment automation tool introduced in Q3 2025 bypassed the dual-approval process. It was meant to speed up releases. Instead, it created a blind spot.
“We trusted the automation,” admitted Matthew Prince, Cloudflare’s CEO, in a blog post. “That’s on us.”
What’s Next for Cloudflare—and the Internet
Cloudflare’s remediation plan is clear: by December 15, 2025, every edge configuration change will require dual human approval. They’re also cutting their “kill switch” response time from five minutes to 90 seconds. But industry watchers say that’s not enough.
Gartner, Inc. warned in a November 21 advisory that 25.6% of the top 1 million websites rely on Cloudflare. “This incident is a wake-up call,” said Gartner analyst Lena Torres. “We’re building a fragile internet on a handful of providers. If one fails, we all feel it.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) echoed that concern. Director Jen Easterly issued a public advisory: “No malicious activity was detected. But critical infrastructure operators should no longer treat single-vendor CDNs as a best practice.”
Cloudflare’s stock, NET, closed at $78.42 on November 21—down 2.3% from $80.27. Trading volume spiked to 18.7 million shares, nearly 50% above average. Investors are watching closely ahead of the company’s earnings call on November 28, 2025.
Frequently Asked Questions
How did this outage affect everyday users?
Millions of users couldn’t access Discord, Notion, or Feedly during peak hours. Students using Khan Academy lost access to live lessons. E-commerce shoppers faced checkout failures just before Black Friday. Over 3.2 million unique IP addresses experienced connectivity issues, with 78% of those in North America. Many assumed the websites were down—not realizing the problem was upstream.
Why didn’t Amazon or Shopify go down?
They use multi-CDN strategies, meaning they route traffic through multiple providers like Cloudflare, Fastly, and Akamai. If one fails, traffic automatically shifts. Cloudflare’s outage exposed a dangerous trend: many smaller companies rely on a single CDN for cost savings. That’s a single point of failure—and this incident proved why it’s risky.
What changed between Cloudflare’s 2022 and 2025 outages?
After the 2022 outage, Cloudflare added automated safeguards. But in Q3 2025, they rolled out a new deployment tool that skipped manual approvals to speed up updates. That tool bypassed the very protections meant to prevent errors. The 2025 outage wasn’t a failure of systems—it was a failure of process oversight.
Is Cloudflare still a reliable service?
Cloudflare remains one of the most widely used CDNs, serving over 25% of the top million websites. But reliability isn’t about being perfect—it’s about how you respond. Their transparency, speed of resolution, and public post-mortem are strong. However, their 2025 incident shows even top-tier providers can be vulnerable to internal process flaws. Businesses should evaluate redundancy, not just reputation.
What does this mean for the future of internet infrastructure?
This outage exposed how centralized internet infrastructure has become. A handful of providers—Cloudflare, AWS, Google Cloud, Akamai—hold enormous power. When one stumbles, the ripple effects are global. Experts now urge regulators and businesses to incentivize decentralization: multi-CDN adoption, open-source alternatives, and geographic redundancy. The internet was designed to be resilient. We’re slowly making it brittle.
When will Cloudflare’s next earnings call address this?
Cloudflare’s next earnings call is scheduled for November 28, 2025, at 8:30 a.m. EST. Investors will hear how the outage impacted revenue, customer retention, and whether they’ll face regulatory scrutiny. The company has already confirmed they’ll discuss their new dual-approval policy and the $150 million+ in estimated losses across their customer base.
