Per the article, only three of 76 targetted employees were fooled by what can reasonably be described as a best-in-class phishing attack. That's actually pretty good[1], and implies that someone trained them pretty well.
[1] Though surely Cloudflare employees are, by the nature of their business area, going to be a ton more sophisticated about this than median corporate folks.
But surely that makes it even more compelling; it's incredibly good and they still got breached. The promise of hardware tokens is that you can survive even that happening, because humans are and always will be the weak link in the chain and this is an actual mitigation against even that.
Per the article, only three of 76 targetted employees were fooled by what can reasonably be described as a best-in-class phishing attack. That's actually pretty good[1], and implies that someone trained them pretty well.
[1] Though surely Cloudflare employees are, by the nature of their business area, going to be a ton more sophisticated about this than median corporate folks.