The recently discovered “Heartbleed” OpenSSL vulnerability may have affected many HTTPS sites on the internet, including kraken.com. When exploited, this vulnerability can leak random information that may contain usernames, passwords, and API keys. Most of our servers were patched before the vulnerability was publicly announced, but to ensure that we’re no longer susceptible, all of our old SSL certificates have been revoked and new ones issued. It’s unlikely that our old certificates were compromised, and there has been no evidence of it. There has also been no evidence of this vulnerability being used to steal accounts. The possibility that they can be compromised, however, presents a serious risk because it means the safety of your Kraken security credentials is unknown. It also means that someone might have enough information to use our old revoked certificates in a malicious attempt to mimic our website that would be harder to discern than normal phishing scams.

As a precaution, we recommend all users do the following:

• Change your password
• Delete your old two-factor authentications and create new ones
• Delete your old API keys and create new ones
• Turn on revocation checks in your browser so you are alerted to sites using revoked certificates. The revocation check should stay on for at least a year. The state of revocation support is poor so you still need to be careful even with it on.

Similar action should be taken for other https sites where you have accounts. You can check to see if the site is currently vulnerable to Heartbleed (or something else) here:

• https://www.ssllabs.com/ssltest/

You should create new credentials for your account (some sites were never vulnerable, but if you’re unsure, it’s best to assume the site was previously vulnerable). However, if the site is still vulnerable to “Heartbleed”, updating your security credentials will still leave you exposed. Keep in mind that the site tester above won’t tell you if the site’s SSL certificates have been revoked and reissued; if they haven’t, there’s a chance that new security credentials can be compromised or the site may be vulnerable to sophisticated phishing scams.

For more information on the Heartbleed vulnerability, see the links below:

• http://heartbleed.com/
• http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities
• http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
• https://blog.torproject.org/blog/openssl-bug-cve-2014-0160