Security Advisory: Cloudflare Bug


A bug was recently discovered with Cloudflare, which Kraken and many other websites use for DoS protection and other services. Due to the nature of the bug, we recommend as a precaution that Kraken clients change their security credentials:

  • Change your password
  • Change your two-factor authentication (remove and re-enable it)
  • Clients who use API keys should generate a new set of keys

You should similarly change your security credentials for other websites that use Cloudflare (see link below for a list of possibly affected sites). If you are using the same password for multiple sites, you should change this immediately so that you have a unique password for each site. And you should enable two-factor authentication for every site that supports it.

The bug has now been fixed by Cloudflare, but it caused sensitive data like passwords to be leaked during a very small percentage of HTTP requests. The peak period of leakage is thought to have occurred between Feb 13 and Feb 18 when about 0.00003% of HTTP requests were affected. Although the rate of leakage was low, the information that might have been leaked could be very sensitive, so it’s important that you take appropriate precautions to protect yourself.

The actual leaks are thought to have only started about 6 months ago, so two-factor authentication or API keys generated before that time are probably safe, but we recommend changing them anyway because the vulnerability potentially existed for years.

Please note that this bug does NOT mean that Kraken itself has been hacked or breached, but since individual security credentials may have been leaked some individual accounts could be vulnerable and everyone should change their credentials as a safeguard.

Here are some links for further reading on the Cloudflare bug: