There are claims that several accounts on Kraken have been compromised and funds taken. Representatives of Kraken told Cointelegraph that the cases mentioned below are currently being investigated.
Users’ complaints
In an email to Cointelegraph, a supposed Kraken user claimed in writing that:
“Last few days many traders were robbed and their funds were drained from Kraken. People are angry and wants their money back. Like a Defender of Crypto World and respected media you can help a lot... Kraken must solve their security problems and this is fact.”
Over on Reddit, a user u/MIkeHBrown, writes about how his Kraken account was robbed for not using 2FA.
“My entire balance in BTC just got drained from Kraken and sent to an address that is not ours. Not sure how it happened because I've never even spoken my password out loud. Secure your accounts with two factor auth.
Withdrawal AGBQF7Z-WUT63Y-HKQZUJ« Back Type Bitcoin Date 07-20-16 05:50:09 -0500 Address 16m8BHbWVDgRSGRU3WVtqsay3JaEved12w Transaction ID 01cb694a2e5418318e26a9602dba8716bb700a2431b7a804cadac8035360fc5e Status Success Amount ฿0.43610 Fee ฿0.00050.”
Another Reddit user, u/caesar0901, posted a similar complaint:
“On Kraken this morning I had a bunch of emails show up with changes to my 2 factor, and then a series of withdrawals. None of these changes were made by me! I had USD in the account which was used to buy BTC and all the BTC was withdrawn. I did not do any of this. I have opened a ticket with kraken support as soon as I found out but no response yet.
Is anyone else seeing this happen to them??
Posted this on behalf of my brother /u/ds720 since he couldn't post on this subreddit. Expect replies from him.”
Kraken responds
Caesar0901 later posted that he/she received a mail from Kraken based on the filed complaint which says:
“Hi caesar0901,
We detected a suspicious login attempt on your Kraken account this morning. The attempt provided your username but either did not provide the correct password or failed second factor authentication. The pattern of attempts we have observed is indicative of a potential data breach at another service where you may have used the same username. If you have reused your Kraken password with any other services, please immediately change your password.
It is strongly advised that passwords not be reused across services, that two-factor authentication be enabled on your Kraken account, and that you make use of the Global Settings Lock feature.
More information on securing your account in our help center: https://support.kraken.com/hc/en-us/articles/201396837-What-can-I-do-to-make-my-Kraken-account-secure-
Any information you are able to provide to our support team as to the potential source of the compromised credentials would be extremely helpful. For example, you might have recently provided your password to someone impersonating a Kraken employee, opened a suspicious email attachment or installed new software from an untrusted source. Or, you might know that you use the same password with another service (likely in the Bitcoin ecosystem) which has suffered a data breach.
If you are reusing your Kraken password at other services, please take a moment to secure those accounts with a new password and two-factor authentication. You might also do a Google search for ‘Password Manager’ and evaluate some options such as LastPass, KeePass and 1Password, which will help you create and manage strong, unique passwords for each service.
The Kraken Team.”
The writer claimed that “since Kraken does not confirm enabling (or disabling) 2FA on their users' accounts via email, the perpetrator successfully enabled 2FA, changed the Master key, changed the withdrawal addresses, and requested withdrawals -- all in under 5 minutes. Here is the email my brother received from Kraken when the perpetrator gained access to his account and made the withdrawals (emphasis mine):
“Hi,
A withdrawal request has been made for the withdrawal address named b. If you requested this action, great, it was successful.
Thanks for choosing Kraken Bitcoin Exchange The Kraken Team
Note: if you didn't request this action, your account may be compromised and you should do the following:
1) log into https://www.kraken.com immediately and go to Account > Funding > Withdraw - you may be able to cancel the withdraw if you catch it soon enough. 2) change your password; 3) create a new set of two-factor authentications; 4) create a support ticket letting our support staff know about the incident: https://support.kraken.com.
The IP recorded for this action was 201.140.110.78.
Kraken has been investigating the breach of my brother's account and theft since this morning, and there have been a few updates and inquiries from Kraken on the support ticket about my brother's security practices. Although he should have been using 2FA from the moment he opened his account, we know that he does not use the same password or any variation of it on other websites, exchanges, or services. While my brother made a mistake not using 2FA, my concern is now with Kraken's seemingly cavalier security practices.”
Aside ensuring that two factor authorization is enabled and withdrawals made from exchanges, another point that came up that could possibly safeguard theft of funds in an exchange is for the platform to allow its users to set a delay for withdrawals.