[ANN] KRAKEN.COM - Exchange with USD EUR GBP JPY CAD BTC LTC XRP NMC XDG STR ETH

[Serpens66]

HELP

My account is hacked maybe, I don't have access to account and also not to my mailaccount!

Please stop all withdrawals and close my account temporaly!!

Does anyone know how to get in touch with suport instantly?

the suport page is not reachable at the moment from here:

Oh no.
Something went wrong.

We've been notified about this issue and we'll take a look at it ASAP.

    Take me back to the home page »


This site is a Zendesk based help desk. If you see this page frequently, you might want to check the Zendesk operational status:

    Zendesk operations on Twitter

[1713557348]

1713557348

[Newar]

HELP

My account is hacked maybe, I don't have access to account and also not to my mailaccount!

Please stop all withdrawals and close my account temporaly!!

Does anyone know how to get in touch with suport instantly?

the suport page is not reachable at the moment from here:
[...]

With 2FA enabled??


Fire on all fronts:

PM Dargo

@krakenfx
facebook.com/KrakenFX
github.com/payward

[Serpens66]

HELP

My account is hacked maybe, I don't have access to account and also not to my mailaccount!

Please stop all withdrawals and close my account temporaly!!

Does anyone know how to get in touch with suport instantly?

the suport page is not reachable at the moment from here:
[...]

With 2FA enabled??


Fire on all fronts:

PM Dargo

@krakenfx
facebook.com/KrakenFX
github.com/payward

yes, with yubikey.  But I don't have manual access.

I PM'd dargo, let's hope he will be online soon..  the support page was accessable too now.. so I sent a ticket...
How to contact them on FB or github?

I changed my mailadress some days ago from gmx to mailbox.org, because gmx was hacked to often, so I thought mailbox.org is more secure. But When I go to mailbox.org it says:

Warning: include_once(): open_basedir restriction in effect. File(/srv/www/htdocs/production/wp-content/plugins/LayerSlider/layerslider.php/classes/class.ls.sliders.php) is not within the allowed path(s): (/srv/www/htdocs/mailbox.org:/srv/www/htdocs/bmbo-verwaltung/:/var/www/wp_englisch:/tmp:/usr/share/php5:/usr/share/php:/var/lib/php5:/srv/www/htdocs/ALIASE/) in /srv/www/htdocs/production/wp-content/plugins/js_composer/include/classes/vendors/plugins/class-vc-vendor-layerslider.php on line 30

Warning: include_once(/srv/www/htdocs/production/wp-content/plugins/LayerSlider/layerslider.php/classes/class.ls.sliders.php): failed to open stream: Operation not permitted in /srv/www/htdocs/production/wp-content/plugins/js_composer/include/classes/vendors/plugins/class-vc-vendor-layerslider.php on line 30

Warning: include_once(): Failed opening '/srv/www/htdocs/production/wp-content/plugins/LayerSlider/layerslider.php/classes/class.ls.sliders.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /srv/www/htdocs/production/wp-content/plugins/js_composer/include/classes/vendors/plugins/class-vc-vendor-layerslider.php on line 30

Fatal error: Class 'LS_Sliders' not found in /srv/www/htdocs/production/wp-content/plugins/js_composer/include/classes/vendors/plugins/class-vc-vendor-layerslider.php on line 32

Does anybody know what this means? It's also there when I try it from a different Pc.

[Newar]

[...]
How to contact them on FB or github?

On github you create an issue, but it's meant to be about code issues.

Facebook gives: support@kraken.com (which you probably already know)

I changed my mailadress some days ago from gmx to mailbox.org, because gmx was hacked to often, so I thought mailbox.org is more secure.

Did you change the email address within Kraken? (don't remember that was possible, last time I checked)

But When I go to mailbox.org it says:

Warning: include_once(): open_basedir restriction in effect. File(/srv/www/htdocs/production/wp-content/plugins/LayerSlider/layerslider.php/classes/class.ls.sliders.php) is not within the allowed path(s): (/srv/www/htdocs/mailbox.org:/srv/www/htdocs/bmbo-verwaltung/:/var/www/wp_englisch:/tmp:/usr/share/php5:/usr/share/php:/var/lib/php5:/srv/www/htdocs/ALIASE/) in /srv/www/htdocs/production/wp-content/plugins/js_composer/include/classes/vendors/plugins/class-vc-vendor-layerslider.php on line 30

Warning: include_once(/srv/www/htdocs/production/wp-content/plugins/LayerSlider/layerslider.php/classes/class.ls.sliders.php): failed to open stream: Operation not permitted in /srv/www/htdocs/production/wp-content/plugins/js_composer/include/classes/vendors/plugins/class-vc-vendor-layerslider.php on line 30

Warning: include_once(): Failed opening '/srv/www/htdocs/production/wp-content/plugins/LayerSlider/layerslider.php/classes/class.ls.sliders.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /srv/www/htdocs/production/wp-content/plugins/js_composer/include/classes/vendors/plugins/class-vc-vendor-layerslider.php on line 30

Fatal error: Class 'LS_Sliders' not found in /srv/www/htdocs/production/wp-content/plugins/js_composer/include/classes/vendors/plugins/class-vc-vendor-layerslider.php on line 32

Does anybody know what this means? It's also there when I try it from a different Pc.

This seems like an issue with that website.

Protip: Use an email provider that offers 2FA as well.

[Serpens66]

Did you change the email address within Kraken? (don't remember that was possible, last time I checked)

Yes, it was very simple, just enter a new address and confirm it with a confirmation mail... (maybe there are additional security settings you can activate, I don't know.. but of course you have to be logged in, and login is protected be yubikey here)

This seems like an issue with that website.

Protip: Use an email provider that offers 2FA as well.

Some users say, they have normal access to the website, that's why I'm in panic... maybe someone hacked my router/wlan system?!
Yes... that's why I chose mailbox.org... they offer a yubikey for 2FA. But you can't use the yubikeys you have already and have to buy a new one. The yubikey for mailbox.org will arrive in ~ one week. ... ... ...
But I used a very strong password of course. So I can't imagine someone hacked it via brute forece or something like that. And there are these issues with the website described above... so my system/WLAN could be compromised (it's very new system on a new laptop, just a week old)... we will see..

I assume somebody only has access to my mailbox account and changed the password via password resett (is this possible with just have access to mail account? )
But because he needs the yubikey to withdraw bitcoins/login, he can't do more.

I hate that their is no emergency hotline or something like this... not at kraken, not at mailbox.org... always you have to wait hours or days to get an answer >.<

[Newar]

Yes, it was very simple, just enter a new address and confirm it with a confirmation mail... (maybe there are additional security settings you can activate, I don't know.. but of course you have to be logged in, and login is protected be yubikey here)

There is the "global settings lock", but I don't think it would have helped in your case as you changed the email yourself.

This seems like an issue with that website.

Protip: Use an email provider that offers 2FA as well.

Some users say, they have normal access to the website, that's why I'm in panic... maybe someone hacked my router/wlan system?!
Yes... that's why I chose mailbox.org... they offer a yubikey for 2FA. But you can't use the yubikeys you have already and have to buy a new one. The yubikey for mailbox.org will arrive in ~ one week. ... ... ...
But I used a very strong password of course. So I can't imagine someone hacked it via brute forece or something like that. And there are these issues with the website described above... so my system/WLAN could be compromised (it's very new system on a new laptop, just a week old)... we will see..

I assume somebody only has access to my mailbox account and changed the password via password resett (is this possible with just have access to mail account? )
But because he needs the yubikey to withdraw bitcoins/login, he can't do more.

I also have normal access to Kraken at the moment.

What sort of security do you use on your wifi? WPA2 + AES?

Why Yubikeys? They do fail eventually (I'll admit after millions of taps  ) . I prefer Google Authenticator as I can transfer it to another phone. And if you don't trust Google on this there are other implementations.

I hate that their is no emergency hotline or something like this... not at kraken, not at mailbox.org... always you have to wait hours or days to get an answer >.<

You get what you pay for. I realise you pay for both one way or the other, but if you want support 24/7 it will cost you a lot more.

For mailbox.org there is this:

mailbox.org
c/o Heinlein Support GmbH
Schwedter Str. 8/9 b
10119 Berlin

http://www1.dastelefonbuch.de/?kw=Heinlein+Support+GmbH&ort=Berlin&pu=1&s=a10000&cmd=search&ort_ok=1&vert_ok=0&ciid=&rgid=&kgs=&district=&ciquarter=&pcZVO=&cx=195195&cy=172506&lat=52.516199&lon=13.376781&radius=&sp=0&aktion=23&ckrid=c3336

[Serpens66]

Thanks Newar for your help !

I have access to my kraken account now. So no one changed my password as I thougt. I'm 100% sure I typed everything correct during my 3 tries. So the only explanation is that my yubikey was the problem. Maybe because I tried to login during the beginning of the price crash (lots of traffic for kraken).
This combined with the mailbox.org thing got me in panicmode
But nevertheless, it could happen a real hack anytime and we can't get in touch with support instant. That's not good... so I hope Dargo will post here something, waht to do in those cases to close the account temporaly.

edit: ... (answer to Newars questions..)

What sort of security do you use on your wifi? WPA2 + AES?

Why Yubikeys? They do fail eventually (I'll admit after millions of taps  Wink ) . I prefer Google Authenticator as I can transfer it to another phone. And if you don't trust Google on this there are other implementations.

Yes, WPA2 and AES

I used google authenticator before and use it still on some other sites. But I don't trust any app for my mobile device and asume it could be "hacked" via apps any time. (that's also why I don't have a wallet on my mobile device, I just don't trust the security from mobile devices).
That's why I bought a yubikey. No one can hack my yubikey. No one can have access to it via internet. Therefore it should be the safest way.
But it's a good question... what to do, if I loose my yubikey or sth. like that? Dargo, what are the steps to make, if someone lost the yubikey/password?

Of course I want access to my account even if I lost password/yubikey. But on the other hand I don't want that someone who hacked my mailaddress is able to resett my password/2FA.    https://support.kraken.com/hc/en-us/articles/204359233-How-can-I-recover-my-account-
If I understand the steps in this link right, someone with my email address and accountname can request a new password and a 2FA bypass, without verifying his identity.
Wouldn't it be better to ask for a scan of ID card or a webcam verification to proof the identity?

[Newar]

Glad to hear it works! 

[...]
But nevertheless, it could happen a real hack anytime and we can't get in touch with support instant.
[...]

If there was a hack circumventing 2FA, that would mean with high probability it would be an inside job. In that case I would consider the support channel compromised as well. Remember, bitcoins that you keep at an exchange are IOUs.

[Serpens66]

Glad to hear it works! 

[...]
But nevertheless, it could happen a real hack anytime and we can't get in touch with support instant.
[...]

If there was a hack circumventing 2FA, that would mean with high probability it would be an inside job. In that case I would consider the support channel compromised as well. Remember, bitcoins that you keep at an exchange are IOUs.

I editet my last post. There you see, you don't need to hack the 2FA, you only need access to the email account.. then you can get the 2FA bypass =/ Maybe Dargo will post something regarding this topic.

[Dargo]

Thanks Newar for your help !

I have access to my kraken account now. So no one changed my password as I thougt. I'm 100% sure I typed everything correct during my 3 tries. So the only explanation is that my yubikey was the problem. Maybe because I tried to login during the beginning of the price crash (lots of traffic for kraken).
This combined with the mailbox.org thing got me in panicmode
But nevertheless, it could happen a real hack anytime and we can't get in touch with support instant. That's not good... so I hope Dargo will post here something, waht to do in those cases to close the account temporaly.

edit: ... (answer to Newars questions..)

I agree that we need better measures for emergency situations. We are working on a way for clients to lock their accounts in case of emergency since that would be the fastest if you think your account might be hacked. I'll have to check on the status of this with the devs to see what the ETA might be. We are also planning on having 24/7 support once the support team is large enough for that. Some kind of emergency hotline would be good too, so I'll make sure we look at how that might be done.  

[Newar]

[...]
But I don't trust any app for my mobile device and asume it could be "hacked" via apps any time.
[...]

I keep an old phone on which I disabled all networking and installed Cyanogenmod (optional though) for things like that. Other implementations for Google Authenticator work on PCs, so you can you use your cold storage PC for it.

Of course I want access to my account even if I lost password/yubikey. But on the other hand I don't want that someone who hacked my mailaddress is able to resett my password/2FA.    https://support.kraken.com/hc/en-us/articles/204359233-How-can-I-recover-my-account-
If I understand the steps in this link right, someone with my email address and accountname can request a new password and a 2FA bypass, without verifying his identity.
Wouldn't it be better to ask for a scan of ID card or a webcam verification to proof the identity?

Do I understand correctly that is possible to request a new password and a 2FA bypass in "one go"? I don't think that's a good idea.

I'd prefer additional confirmation. Another idea: force every user to submit a BTC address that they control and can sign messages with. This address could only be submitted once. A signed message would be required to bypass 2FA.

[Dargo]

But it's a good question... what to do, if I loose my yubikey or sth. like that? Dargo, what are the steps to make, if someone lost the yubikey/password?

Of course I want access to my account even if I lost password/yubikey. But on the other hand I don't want that someone who hacked my mailaddress is able to resett my password/2FA.    https://support.kraken.com/hc/en-us/articles/204359233-How-can-I-recover-my-account-
If I understand the steps in this link right, someone with my email address and accountname can request a new password and a 2FA bypass, without verifying his identity.
Wouldn't it be better to ask for a scan of ID card or a webcam verification to proof the identity?

This is what the master key is for - to protect against someone hacking your email address (and other things). You should create a master key on a separate two-factor device from the one you use for login and keep it someplace very safe. If you don't have a second device, just make it a static password until you can get one. Once the master key is created, it will be required in order to reset your password or bypass the 2FA for account login.

https://support.kraken.com/hc/en-us/articles/201396847-What-is-the-master-key-shown-on-the-two-factor-authentication-page-

Another option is to use the global settings lock. Once activated, nobody can change the settings in your account for the number of days you specify, even if they hack into your account. So they couldn't enter their own withdrawal addresses. You can do both the master key and the global settings lock, but if you create the master key before you do the settings lock, the master key can be used to override the settings lock. This is convenient, but keep in mind that if someone obtains your master key, they will be able to override the settings lock.

https://support.kraken.com/hc/en-us/articles/201396877-What-is-the-Global-Settings-Lock-

Edit: a further protection would be to give us your PGP key for email encryption. This way, all automated email from us, including password reset and 2FA bypass are encrypted.

[Serpens66]

This is what the master key is for - to protect against someone hacking your email address (and other things). You should create a master key on a separate two-factor device from the one you use for login and keep it someplace very safe. If you don't have a second device, just make it a static password until you can get one. Once the master key is created, it will be required in order to reset your password or bypass the 2FA for account login.

https://support.kraken.com/hc/en-us/articles/201396847-What-is-the-master-key-shown-on-the-two-factor-authentication-page-

Edit: a further protection would be to give us your PGP key for email encryption. This way, all automated email from us, including password reset and 2FA bypass are encrypted.

Thanks, I created a masterkey now
What would Kraken do, if someone claims he lost his 2FA device and used the same device to generate the masterkey?
This could happen, but it could also be an attempt to steal the account. Would you now try to confirm the identity?

[Dargo]

This is what the master key is for - to protect against someone hacking your email address (and other things). You should create a master key on a separate two-factor device from the one you use for login and keep it someplace very safe. If you don't have a second device, just make it a static password until you can get one. Once the master key is created, it will be required in order to reset your password or bypass the 2FA for account login.

https://support.kraken.com/hc/en-us/articles/201396847-What-is-the-master-key-shown-on-the-two-factor-authentication-page-

Edit: a further protection would be to give us your PGP key for email encryption. This way, all automated email from us, including password reset and 2FA bypass are encrypted.

Thanks, I created a masterkey now
What would Kraken do, if someone claims he lost his 2FA device and used the same device to generate the masterkey?
This could happen, but it could also be an attempt to steal the account. Would you now try to confirm the identity?

Yes, that's a case where we have protocols in place to confirm your identity.

[mithrandi]

I'm having a weird problem where I'm unable to turn on the Global Settings Lock; when I click "Update Settings", the page just eventually returns a Cloudflare timeout error. However, the rest of the site (at least the things I tried) seems to be working just fine!

Actual error message:

Web server is returning an unknown error
There is an unknown connection issue between CloudFlare and the origin web server. As a result, the web page can not be displayed.

Ray ID: 1aeec1383dae02fd
Your IP address: 197.89.69.210
Error reference number: 520
CloudFlare Location: London

[Dargo]

I'm having a weird problem where I'm unable to turn on the Global Settings Lock; when I click "Update Settings", the page just eventually returns a Cloudflare timeout error. However, the rest of the site (at least the things I tried) seems to be working just fine!

Actual error message:

Web server is returning an unknown error
There is an unknown connection issue between CloudFlare and the origin web server. As a result, the web page can not be displayed.

Ray ID: 1aeec1383dae02fd
Your IP address: 197.89.69.210
Error reference number: 520
CloudFlare Location: London

We tested it and it seems to be working OK. Please create a ticket if you haven't already since we'll need to look at your account. I'd also try again to see if it was just a temporary issue.

[mithrandi]

I'm having a weird problem where I'm unable to turn on the Global Settings Lock; when I click "Update Settings", the page just eventually returns a Cloudflare timeout error. However, the rest of the site (at least the things I tried) seems to be working just fine!

Actual error message:

Web server is returning an unknown error
There is an unknown connection issue between CloudFlare and the origin web server. As a result, the web page can not be displayed.

Ray ID: 1aeec1383dae02fd
Your IP address: 197.89.69.210
Error reference number: 520
CloudFlare Location: London

We tested it and it seems to be working OK. Please create a ticket if you haven't already since we'll need to look at your account. I'd also try again to see if it was just a temporary issue.

I tried again now and it worked, so just temporary I guess

[Dargo]

Hi Serpens - thanks for letting us know about this. It's the first I've heard of an issue like this, but we'll look into it.

Hey Dargo,

sometimes the yubikey confirmation does not work. I'm not sure if the problem is the yubikey or if there is another problem.
But when I want to confirm a withdrawal it happens often (~20% of the time), that I get the message "the submitted form has expired" (or something like this, I did not copy the exact wording), even though not more than 15 seconds have passed.  
Nonetheless the bitcoins were send.   So now it happens,that I thougt the bitcoins were not send and send the amount twice.
Luckily it was one of my addresses so i can send the bitcoins back. But what if it was not my address? So you should fix this issue.

Serpens - Here's the reply I got from one of our devs: If it went through, it wouldn't have seen the form expired message. The form expired message would have prevented double withdrawals of the same request (resubmission of the same form).  You probably got the browser resubmit your request page and refreshed the page, got the expired form page, then submitted a new request.

It happend again, the message I get is "The submitted form has expired or is invalid. Please resubmit your request.".
All I did now was "Funding-> Withdraw -> Bitcoin -> choose adress -> type in amount -> press yubikey -> wait -> the error message appears -> even though bitcoins sent"
I did not refresh anything. But of course when I reported it first on January 20, 2015, I did click "back" to resubmit my request -> "double spend".
So the issue is still there. I get this error message and think the bitcoins are not sent, but they are sent.

edit:
About the API orderbook issue: count=2 did not solve the problem =/ =/ Now I have the best 2 asks, and no bid in the list (it happend 2 times on 25th January)

Serpens - Let me know if you see this again. We made some changes that should make it much less likely to happen, and if it does the error message will tell you to wait a while and check on the status of your request before making the request again.

[Serpens66]

It happend again, the message I get is "The submitted form has expired or is invalid. Please resubmit your request.".
All I did now was "Funding-> Withdraw -> Bitcoin -> choose adress -> type in amount -> press yubikey -> wait -> the error message appears -> even though bitcoins sent"
I did not refresh anything. But of course when I reported it first on January 20, 2015, I did click "back" to resubmit my request -> "double spend".
So the issue is still there. I get this error message and think the bitcoins are not sent, but they are sent.

edit:
About the API orderbook issue: count=2 did not solve the problem =/ =/ Now I have the best 2 asks, and no bid in the list (it happend 2 times on 25th January)

Serpens - Let me know if you see this again. We made some changes that should make it much less likely to happen, and if it does the error message will tell you to wait a while and check on the status of your request before making the request again.

thanks
how about the API orderbook issue?

[Buster]

Is it possible to deposit GBP via Paycash and then convert this balance to EUR when it arrives at Kraken?