Bitcoin Forum

A bug was recently discovered with Cloudflare, which Kraken and many other websites use for DoS protection and other services. Due to the nature of the bug, we recommend as a precaution that you change your Kraken security credentials:

    Change your password
    Change your two-factor authentication (remove and re-enable it)
    Clients who use API keys should generate a new set of keys

You should similarly change your security credentials for other websites that use Cloudflare (see link below for a list of possibly affected sites). If you are using the same password for multiple sites, you should change this immediately so that you have a unique password for each site. And you should enable two-factor authentication for every site that supports it.

The Cloudflare bug has now been fixed, but it caused sensitive data like passwords to be leaked during a very small percentage of HTTP requests. The peak period of leakage is thought to have occurred between Feb 13 and Feb 18 when about 0.00003% of HTTP requests were affected. Although the rate of leakage was low, the information that might have been leaked could be very sensitive, so it’s important that you take appropriate precautions to protect yourself.

The problem is thought to have only started 6 months ago and 2FA or API keys generated before that time are probably not affected, but we recommend changing them anyway because the bug existed for years.

I got this link
https://github.com/pirate/sites-using-cloudflare/blob/master/README.md

From this topic
https://bitcointalk.org/index.php?topic=1802851.0;topicseen

Seems to sum up the problem

It's a widespread cloudflare problem but in spite of the low chances of individual users having their credentials stolen it's good that they've warned people to change passwords just in case.

Not just kraken, I received from some other services also (notably from iconomi.net, another cryptocurrency related).

They are basically alerting us to reset password and suggesting enabling 2fa to secure our accounts. This is due to the recent discovery of a bug in cloudfare service. I believe we will be on safer side just be resetting our credentials. I just checked few of my accounts, so far all are accessible.

Its email has applied for all of the crypto related sites are using the cloud flare right now.  And i get a similar email in from the bittrex due the problem has attacked the cloudflare. Just makes an awareness to all of the users in the exchange site to avoid their data will get a leak.

I got similar type of email from nicehash as they also use cloudflare for DDOS protection. What was the actual bug? Is it related to leak of personal information including our login credentials  ???

It's not just for exchanges. It's a CloudBleed.

Any and ALL sites that use CloudFlare for DDOS protection could be affected. It's highly advised to change all our passwords and activate 2fa (email, phone, goog auth) for better security.

So, we better take the time now and make sure to secure our accounts.

Yes I did.
It was from a massive breach last night on all services that rely on cloudflare.
Not to sure what they have to do with saving everybodies passwords on their site.
Cause as far as I know it is used by all these sites for not allowing DDos attacks but they themselves got attacked from the very thing they are in the position to prevent. :-\
All over the world they are providing this service to many many many sites.

This is not over yet to find out how many accounts have been affected by this misuse of control by the cyber users sensitive information globally.

not only kraken all exchanger if use cloudflare get notification about security issue
same is poloniex announcement about use 2Fa, in twitter account poloniex exchanger announce to poloniex member to use 2FA

All website using CloudFlare affected by this widespread issue and its cloudbleed as someone mentioned it already above posts. They warned their users on every website including the different crypto site to change their password just in case, to prevent of lossing accounts.

I got the same email actually thought it was a  phishing attempt to steal my personal info not until I saw this thread. Since its has been authenticated will be adjusting security settings, thank-you

as neochiny explained it was a bug that has been around in cloudflare services which all these bitcoin related sites use.

but it is strange that i have not yet received any email from any of the excahnges that i use and others are saying they have received them! i had to see it on somewhere else and then bitcointalk to go and change my things :) (it is worth mentioning my accounts are a couple of years old)

oh and also there is a topic about it if you want to read more:
https://bitcointalk.org/index.php?topic=1803933.0

Yes I have received too,  and I have no doubt that  all Kraken customers received such a letter..

Yeah same thing i thought, hotmail email is so rubbish i cant find the option to see the exact address who the mail is from until open.  Oh well passwords now all changed!

Yes. Everyone got it. It´s the Cloud bleed Problems. Lots of sensitive data was leaked because of that bug.
So check all your sensitive/important accounts against the list of affected sites, change passwords and enable 2FA (2 factor authentication)

So that bug is faulty SSL connection, then in theory when I wasn't using any service at that time of the main leakage from Feb 13 to 18 then my data couldn't be sniffed?
Some services are neglected this issue and 'forgot' to send emails with warning.
I use blockchain.info wallet and I never received any warning about this CloudFlare security breach from them.

I got this e-mail, too.  I gave up with Kraken and their ID verification about a month ago, after Circle bit the big one.  They said my pic of me was too blurry.  I don't even know if I have the password for my account written down.  Man, I miss Circle! 

Am I in trouble if I don't change my password there but never used the account?

I think all kraken member will get this email to alert and not only for Kraken member, I got from Quinone exchange and also from Iconomi website and for Poloniex i get notification when I login to my account to change my password and activated 2fa, for security is better to take this action even we don't have balance or never used the account.

I don't think so. You are planning never use this this account anyway. I would be worried only when it was my actively used account.
When you never expect to transfer any money/BTC there and your username/password combo is unique then you have nothing to worry about.
Not to mention that only 0.00003% of accounts used in CloudFlare protected services were compromised.

same with you i have got that email from kraken, not only from kraken i have got that email from other exchanges which use cloudflare also from gambling site its only for our security better we change all our passoword to prevent our account from hacker

It looks like Kraken isn't the only one that has this issue and affected with cloud bleed. Most of them notified us to change password because of the cloud flare issue. I got also from yobit and I assume that most of us that are into exchanges expect to receive email from them.


Not really, I didn't changed my password either.