Kraken Cites Phishing Not Breach on its Exchange
While users blame Kraken exchange for a breach, the exchange says their claims may be a result of phishing after all.
The Kraken support team has drawn to the attention of Cointelegraph its recent blogpost in response to various claims of compromised accounts and stolen funds on the exchange.
In the last month, Cointelegraph received two separate mails from alleged Kraken users who claim their accounts were compromised after a reported security breach on the Kraken system.
Kraken was not hacked
Both cases were presented to Kraken for clarification before our articles were published about them in July and August. But in a response on Monday August 15, Kraken says the claims of a breach could be as a result of phishing.
In the post, Kraken denied its systems or databases were compromised:
“We have no reason to believe that Kraken itself has been breached. The vast majority of reports of hacked accounts so far have admitted to reusing credentials across services, and have not used two-factor authentication on login. Some hacked accounts had two-factor set only on withdrawals but had not enabled the settings lock, which left open the opportunity for an attacker to remove the setting upon logging in. As mentioned earlier, even with the two-factor set on login, if the two-factor code is entered into a phishing site, the attacker can perform a “man-in-the-middle” attack, intercept the code (along with your username and password) and use it to log in to the real Kraken.com on your account.”
Always remember to secure your accounts
In an email to Cointelegraph, Kraken says:
“A significant number of Kraken accounts were compromised because the attackers were somehow able to obtain client login credentials (username and password) and thereby gain access to the accounts individually by logging in. Kraken itself was NOT hacked and NONE of our systems or databases were compromised.”
It added that the vast majority of compromised accounts had no security features enabled on their accounts hence the attackers were able to gain full account access after logging in with the username and password.
The email says further:
“Some people have been saying that accounts with two-factor authentication were also compromised, but this statement is misleading. No accounts that had two-factor for account login set up with a one-time password were compromised. (However, as mentioned in the blog, in the case of a phishing attack, it might be possible for an attacker to perform a man-in-the-middle attack and thereby defeat two-factor authentication). There were a few compromised accounts that had two-factor for withdrawals incorrectly configured.”
It says two-factor for withdrawals must be used together with the Global Settings Lock in order to be effective as explained in its help center.
How did hackers obtain client usernames and passwords?
The exchange also added that client usernames and passwords may have been obtained by a combination of phishing and security breaches at other sites where clients have been using the same username and password.
Kraken says they are working on more features to protect clients and to help clients protect themselves.