Home
Artists
Search Recent Random
Posts
Search DMs Popular Hash Lookup Tags Random
Importer
Import FAQ
Register
Partychan Telegram Live Sex ThePornDude
Home Artists Posts Import Register

Exhange Warning: Kraken (Patreon)

Published:
2021-07-03 18:31:23
Edited:
2021-07-03 19:22:14
Imported:
2022-03

Content

Patreon Members recently had their KRAKEN accounts cleaned out. Hackers came from outside the US and bypassed 2FA by reading email. If you have a large amt of Crypto on Kraken pls Lock it down by enhancing security or storing your crypto eg Trezor Ledger!


Kraken works with YubiKey - Yubikey is the best way to lock down your account.  Insert your YubiKey into an available USB port on your machine, wait a few seconds then touch or tap your YubiKey. 6. When prompted, touch or tap your YubiKey again to confirm. This will register your YubiKey to your Kraken account.

Files

Comments

Anonymous

Scary.

Anonymous

Shocking

Anonymous

James, where do you recommend storing crypto? Ledger?

Anonymous

This is my worst nightmare

Anonymous

Damn I’m worried to buy anymore anywhere

Anonymous

How does this even happen on such big platforms and are people covered at all?

Anonymous

Thanks for letting us know. I don’t use Kraken but it’s always good to be aware.

Anonymous

Holy sht

Anonymous

Wow; glad I moved all to my Ledger a while back

Anonymous

Wow - I’d recommend using a separate email for crypto. Never use your day to day email

Anonymous

People should use Authy or Google Authenticator

Anonymous

What does scanning email mean?

Anonymous
>>63087621

Absolutely. And as James says, be paranoid about security.

Anonymous

Is it worth cold storing my coins from coinbase?

Anonymous

Can someone define and explain “scanning email”?

Anonymous

That’s not good! I have some on kraken. I’d better move it

Anonymous

I use Protonmail exclusively for all crypto correspondence.

Anonymous

Gemini is the only place i trust with security

Anonymous

In addition I have a VPN

Anonymous

Thanks for notifying us, James. And thank you to the two people that shared that with you so we can be safer.

Anonymous

Bloody hell

Anonymous

I’m confused I use two party authentication. How could it be bypassed by them seeing email. I think it’s important to explain this better

Anonymous

It just emphasises the importance of not using your daily email account or a commercial free email server like Gmail, hotmail or yahoo for your cypto related emails and notifications. I use a secured dedicated email server like Proton Mail for my crypto emails only. https://protonmail.com DYOR.

Anonymous

2FA bypassed how exactly? I recommend to activate “Global Settings Lock” under security

Anonymous

Where is kraken base at? Europe?

Anonymous

It is Probably a good idea to purchase and use a security key 🔐 (like Yubi-Key) that you need to insert into your device manually press a button to access your account.

Anonymous
>>63087888

I'm assuming it was the 2FA that used email as the secondary?

Anonymous

Guys pls use Raivo OTP for 2fa then it cant be bypassed. They will need your device. Have separate 2fa for sign in and a sep for funding/transfers. Hope this helps someone!

Anonymous

Kraken is based in San Francisco, CA. I'll add that I've used them for well over a year with no issues. This same attack could be used against any exchange where people use their email for 2FA. Personally I use a Yubikey and have Global Settings Lock activated on Kraken.

Anonymous

Thanks for the heads up James 🙏

Anonymous

With minimal effort 2FA can be bypassed. If the hacker has enough information they can simply hit the forgot password link and use that process to reset the password and gain access to the account as most forgot password pages do not require 2FA to initiate.

Anonymous

Negative news is win win for Banks. Sorry for our members

Anonymous

One of the reasons I use ProtonMail for any sensitive information like banking, crypto, etc.

Anonymous

I nearly always use authenticator apps or SMS for 2FA, are these much safer options or still vulnerable?

Anonymous

I am wondering if they have their security level on Kraken set up for the maximum level. I would bet dollars against donuts they don't have something like Google Authenticator as a sign in step, plus the global setting lock.

Anonymous

Activating a wallet whitelist helps to protect against this Even if your account is compromised funds cannot be withdrawn to a unknown wallet adress

Anonymous

Should we worry about a platform like Coinbase?

Anonymous

Omg. Sorry for them. Seems I also need to collect my cryptos from exchanges to ledger

Anonymous

I have 2FA via Google authenticator app and white listed addresses. Is that not enough? I don't have enough crypto assets to warrant cold storage i think ( around 10k)

Anonymous

What do you mean by “scanning email?”

Anonymous
>>63088405

On some exchanges 2fa is required to add addresses to whitelists

Anonymous

This exactly why most people won't invest in cryptocurrency.

Anonymous

It’s very shocking, it would be great to know to see clearly,did they used yubi key or only 2fa, and did they activated the security at maximum level? thank you the answer.

Anonymous

People need to realize this is *not* an exchange problem, per se. The problem is people don't understand how 2FA is easily defeated if someone hacks your personal email account. Using an email address for 2FA is like putting the key to your house under the bush in the front yard.

Anonymous

Celisus has a HODL mode that locks my wallet and takes 24hrs to unlock and go thru all the necessary protocols.

Anonymous
>>63087913

Also important to set your whitelist on the exchange for withdrawal addresses.

Anonymous

Thank you James for the heads up! This is horrible…the wife and I have some coins staked with Kraken. We all need to be vigilant…

Anonymous

I wonder what their global settings are?? I'm using Kraken with different accounts for years. To me, there is no way one could transfer any crypto/fiat off to a new address/account without me beeing notified once global setting lock is activated. They'd need your email AND your auth. app keys as well. If one does not activate Global Setting Lock it's not Kraken's fault. Security level of Kraken is top notch, tbh.

Anonymous
>>63088556

That's definitely enough to warrant cold storage if you are confident in your technical abilities to not make any mistakes in handling the process and the backups/security. There are give and takes of course. You take more responsibility in your own hands and lose the ease of someone else custodying it for you.

Anonymous

ProtonMail is way to go. Brave browser and Brave Search are good alternative to anything Google, Yahoo, Microsoft. YouTube is the worst place for scammers and hackers. Email scanning BOTs are the most basic tools for hackers. They are AI driven BOTs now days, targeting any crypto searches online, and communication with any crypto related website s. CoinGecko and CoinMarketCap are best place to monitor crypto IP addresses. James is right, never ever use online portfolio trackers.

Anonymous
>>63087827

Right, I even bought a hardware VPN router in addition to my software VPN but too lazy to setup

Anonymous
>>63087788

Turn on whitelisted address and you get a 7 day delay on any withdrawals to new wallet addresses. 7 days is plenty of time to know you got hacked, regain control, and lock everything down. Gemini is the best.

Anonymous

Wow! I was just about to transfer my ADA from Binance to Kraken as I'm in Ontario.

Anonymous

I don’t understand what they put in their emails that allowed hackers to get into their accounts. Did they put their passwords in an email? As far as I know, any time a withdrawal or account change is made, aren’t people notified and have to put in a code into their cell phone to approve it?

Anonymous

So sorry for whoever this happened too.

Anonymous

Wow! Sorry to hear that about the affected parties. :-( I have a Kraken account, but it has all securities in place, including that Global lock setting. Mind you, I also have a zero balance on there for over a year. Haven't used it since then. I always keep a zero balance on exchang accounts as I use my Trezor wallets. I only have a tiny amount on BlockFi, which I will be removing as well.

InvestAnswers
>>63088231

Banks get cleaned out also. I had about 10K cleared out of my checking account over 3 months and never even noticed and nor did my bank. they pulled $300 a day or every second day for a long time from ATMs all over the country.

Anonymous
>>63088920

Whats wrong with online portfolio trackers if your API keys are read only?

Anonymous

Most hackers don’t care about guessing your Kraken account. They care about your email account.

Anonymous

James, it would be awesome if you could make a video about security!! Education in this area is priceless..

Anonymous

Can someone explain how to "lock it down"? Thanks!

Anonymous

I'm a small investor, hoping to build a future for my children but even the small amounts are worth keeping safe so I put a little on Trezor One, which is not very expensive, transferred some in an exchange vault, and what is left from small monthly purchases on three different exchanges... these are all fractions of a BTC but I look to the future - if you plan on buying a Trezor, make sure you have tracking enabled all the way, and take pictures of the package before the driver disappears - the content of my first package got, apparently, lost in transit - customs may check the package, mine was cut on one of the edges, and the process to make a claim took at least another four weeks - getting a Yubi key instead of using 2FA for Coinbase, was my second step to keep my Satoshis safe, remember that 0.01 BTC is a million of them... just saying :)

Anonymous

You can have a 50 character password for your Kraken account, but if your email account is compromised, that’s just as good as having access to it. Just goes to show, security is only as good as the weakest link.

Anonymous

That is awful but Kraken allows for proper levels of security where this wouldn't have been possible. Perhaps a video reminder about security best practices is in order to remind the general IA community about this. This doesn't have to do with Kraken specifically.

Anonymous
>>63089932

Agreed, I’m the world of crypto, the buck mostly stops with us. I doubt Kraken is at fault for this issue.

Anonymous

I use a protonmail email address for each exchange i use. Those addresses are used for nothing else. Not sure how helpful it is, but figured it has to be safer than using my main gmail address 🤷‍♂️

Anonymous

Yes James I would love to know how you personally are handling storage of your crypto. I have a Trezor however putting large amounts of crypto on it makes me nervous for some reason. So I end up leaving it on Coinbase

Anonymous

Kraken uses google authenticator for 2FA authentication....what am I missing? How can they get this via email?

Anonymous

James, are you deleting comments (in this case positive ones on Kraken) on purpose or is it Patreon? This is not the first time my comment gets deleted for no obvious reason. Edit: Now it's staying on. I deleted the Dollar sign, maybe that has caused trouble.

Anonymous

Wow, how could scammers get past 2FA - even if their email was hacked, authenticator app sends you a text passcode - unless phones were also hacked. A few weeks ago I changed phones (device) and tried to activate authenticator app on my new phone, but Coinbase had me go through ID verification all over again. It took them 5 days which I was mad about, but the flip side is that they are taking security very seriously and hearing this story makes me thankful for that. Perhaps the point of failure in this story is with the individuals rather than Kraken - hope that's the case so haters don't have another thing to create FUD against crypto. Feel really bad for the folks though.

Anonymous

And/or get an encrypted ProtonMail account. I‘ve been using it for all my crypto accounts and feel very confident in it. And it’s free.

Anonymous

I wanna share a different story about Kraken. It's all about the ETH wick down to $700 back in February. copy-paste on: Delilah K. (Kraken Support) Feb 23, 2021, 21:23 PST Hi….., We’ve looked into your account and concluded that you were adversely impacted by price movements on February 22 at approximately 14:30 UTC. We are crediting your account with 10,983.18. Additionally, your account will be credited with 732,212 Kraken fee credits (KFEE). This means that the next 7,322 in trading and margin fees are on us. You should receive a deposit notification email when credited. If you expressed your frustration about this situation on social media and are now in a better place please help us out by posting a follow up message. Thanks! We have also recently posted to our blog about the incident. As noted in the post, it’s very important for any client trading with margin to understand our liquidation process and how it may affect them in volatile markets. Clients should adequately collateralize accounts and closely monitor their margin level when leveraging these trading tools. Thank you and sincerely, ……. Kraken Client Engagement Team copy-paste off Anyone else beeing reimbursed by any exchange tens of thousands for stuff like this? Keep being paranoid about crypto security but do your homework as well.

Anonymous

Having worked in tech for many years here is my Password Blurb I share with family and friends: Password Blurb Passwords and recovery of passwords are subject to a chain attack. If they get to the main part of your account history (Email and or Phone) you can be compromised through the whole chain of trust. 1. Secure you email account 1. This means it has a unique password 2. Use 2FA (2 factor authentication) 3. Use a yubikey or similar if you can 4. Change your password every 3-6 months 5. Have your email notify you of attended logins via SMS 6. Never share you account login details (ever) 2. Use a password manager 1. I use 1Password (paid) but may choices exist 2. This should also have a unique password 3. Use 2FA for this as well 4. Use a yubikey or similar if you can 5. When you have challenge questions: 1. Record the questions and answers in your password manager 2. Don’t use obvious answers Example: What was your first car>> Ford Silverado 3. Don’t use same challenge answers on multiple sites, make them up unique for each site and track in your password manager. 6. Change your password for this as well over time 7. Never share your password manager details 8. Create a way to recover of your password manager with a trusted person 1. If I am not able to get to it they can help 2. If I am incapacitated or die they will have access to take care of business 3. Use a unique password on every site 1. Use maximum allowed password length and complexity 2. Use 2FA for sites that support it 4. Protect your phone SIM/SMS 1. If you use SMS as a recovery method you need to also protect your phone 2. SIM Lock 3. Use most secure login to your phone you can remember or use touch/face logins 4. Don’t share you passcodes with people 5. Use your password manager maintenance tools 1. Remove / change compromised sites 2. Update key site passwords you use occasionally 3. Remove duplicate passwords if for some reason you have some 6. When finances are involved consider using a different email account 1. Because finances have true financial impact consider using different email account for all things financial compared to all other transactions

Anonymous

James, thanks for the heads up. I know you have already made a video on storage but perhaps now would be a good time for another one. Is there universal secure device/wallet available to store all crypto?

Anonymous

I found this to be helpful. https://medium.com/mycrypto/what-to-do-when-sim-swapping-happens-to-you-1367f296ef4d

Anonymous
>>63090732

Correct, there is some very important thing missing! No way it can be done by scanning email only.

Anonymous

Also just to share: I had moved most of my BTC and ETH to a Ledger Nano in Jan but after discovering James channel & his advice against using a hard wallet due to risk of losing passcodes, I realized the risk of me losing/forgetting/misplacing my ledger & passcode was higher than the risk of Coinbase, a publicly traded company losing my money - if they did get hacked/ lose it, I figure there is a better chance of recovery through insurance or legal means etc. Plus, I already entrust much more in retirement accounts to Schwab, etc. Bottom line, I have less confidence in my own ability to safeguard the coins so yesterday I transferred it all back from Ledger wallet to Coinbase and feel so much better. Even after reading this story today, I still feel this is the better option for me. Just thinking of losing the passcodes was stressing me out - feel much more comfortable with my portfolio on an exchange than a hard wallet. I heard Jason Zweig say this recently "An individual investors returns are dependent more on that investor's behavior than the market's behavior". Sometimes our own behavior creates more risk than other potential risks with companies etc - it's important to know oneself and our limitations.

Anonymous
>>63089244

They hack your email address, put a rule into place forwarding any emails coming from your crypto exchange into trash, and proceed to get any emails coming to you.

Anonymous
>>63092018

Exactly! Spreading out on different exchanges appears to me to be safer than using multiple hardware wallets with different key phrases.

Anonymous
>>63091311

Look up Guy at Coin Bureau. He has already done a number of YT videos on both warm and cold wallets.

Anonymous
>>63090616

Me too - I got nervous using Ledger Nano and moved it back to Coinbase - just did a long post on my reasons a few min ago.

Anonymous
>>63089183

I'm trying to figure out what to do with my binance funds as well

Anonymous

After reading about storage issues it makes me like my GBTC in my IRA.

Anonymous
>>63091244

Good advice tnx. What is the most secure password manager?

Anonymous
>>63091165

I have been very happy with Kraken support. It has been consistently excellent and with rapid response times compared to coinbase and binance.

Anonymous
>>63088448

You should be worried if you don't have your security setup properly.. same as with kraken or binance etc.

Anonymous

Can someone comment on the benefits and risks of using a BTC ETF when available in the USA instead of buying BTC directly. Do we lose a lot of value with an ETF?

Anonymous

I stick with DCA into btc, sol, Eth, Ada....leave the gambling to others... All profits from AMC ( in at 5.00) to these 4....

Anonymous

Thanks a lot for the heads up James! Moved everything off Kraken

Anonymous

I cannot keep moving things off Exchanges, recently Binance, now Kraken and I just moved into there because of security cost me an arm and a leg. Well i think i sell everything and retire into Fiat and have peace and quite in spite of inflation.

Anonymous

For me after several years of Crypto and many experiences with different companies I now use Celsius and Kraken.

Anonymous

Trezor model T is great. It can be used out of the box very simply, and makes you back up your recovery phrase to a piece of paper that you can secure offsite. It also has a ton of features for power users/experts such as removable micro-SD card that can be configured to not let the device boot if removed. Think traveling though the airport, also can set a self destruct wipe pin code instead of the real unlock pin. You can always restore with your recovery phrase.

Anonymous

Guess , like James said , be paranoid.. I’m so paranoid that I didn’t do James exchange survey 😂😂 You taught me well Papa lol

Anonymous

I am hopelessly confused. I'm tech challenged and will need step by step instructions. I never heard of a Yubikey or Proton Mail, for example. For me, this is an entirely new world and I need a basic, but strong, protocol. I need to keep this simple. Hopefully,James can make a Best Safety Practices 101 video for tech dummies.

Anonymous
>>63094286

With the shortage of physical silver, the SLV ETF changed their prospective to say that in certain conditions they may not track the spot price of silver. If the price goes parabolic and they do not have the physical in the ETF the price might not keep up. I guess the same could happen with BTC ETF if they did not back it 100%.

Anonymous

It seems that if you plan to keep your crypto on coin base and do not p!an on selling it, you should move it to the "vault" portion of your account.

Anonymous
>>63098167

Take a look at Casa solution in lieu of leaving your stash on exchanges… They also have Multisig solution for inheritance planning. https://keys.casa

Anonymous
>>63089767

I will also add that.. avoid using personal phone numbers or home address for contact and delivery details for your order of hardware wallet or crypto related security purchase. Have the product delivered to a PO Box or office address. Reason being if the merchant gets hacked as in the case of Ledger last year, your personal information won’t be compromised for phishing attacks, intimidation and scams by the hackers.

Anonymous

This is the reason I wish crypto had done form of regulation or some insurance from the exchanges. It can also happen at a bank but they insure your funds and replace them

Anonymous

I feel so bad for those people! Such terrible news.

Anonymous

I pretty much use a VPN continuously on my devices, especially during transactions with crypto, is this regarded as a good prevention against people obtains your details? I was under the assumption it was Thanks guys, for all your tips, never heard of Proton Mail before🙏

Anonymous

What product on Trezor do you recommend?

Anonymous

One idea I heard for increased security is to create an obscure email address that you never make public or use other than to login to the exchanges e.g. wkjrnvqernvp@mail.com

Anonymous

It is not clear at all for me to see how you can bypass 2FA by reading emails. You sure this is how they proceeded? Also, you can add a time lock period on your Kraken account: have to wait x days before the actual withdrawing takes place.

Anonymous

This sounds nonsensical to me. Kraken will never, ever start sending mails concerning logins. Which means that any such conversation has to be initiated by the individual account holder. Which means that the problem lies with said account holders themselves, not Kraken. It's more likely that the email accounts and/or computers of the account holders were compromised. In that case they would suffer the same problem with any other exchanges. This has really nothing to do with Kraken.

Anonymous

What was the mechanism please? Not clear to me how this worked. Thanks.

Anonymous
>>63116418

Exactly. I don't think that Kraken is to blame here. I think it's more likely that the account holders security lacked somewhere.

Anonymous
>>63091092

I had to do something similar for FTX US because I had to download Google authenticator app for new phone, but it took longer and had to answer a bunch questions and do KYC. Was fine with it all though as I knew they were just doing it to protect my own interests.

Anonymous

Message received and understood. Now activated Max security settings.

Anonymous
>>63118256

Agree 100%, given what I have read about Kraken and being in Cyber myself, I am inclined to believe this was due to lax behaviour on the user and not Kraken...

Anonymous

Many of these comments are concerning. If you can't be bothered to learn about a hardware wallet and how to protect your assets, then why are you investing money in crypto? Spend time learning about a Trezor or Ledger and how to protect your seeed phrase. James' message is a little unclear -- how do hackers bypass 2FA by "reading email"? We need more details before anyone gets spun up or panics. The issue is very likely related to user error. Again, you have to put in the time to learn how to protect your assets. Would you buy a house without first understanding the crime rate and most common types of crimes in that area?

Anonymous

Initiate a Master Key on the site on top of 2FA

Anonymous

And make sure you Smartphone is full proof protected with everything, Netguard VPN, Securuty suite, and do not save any passwords anywhere apart from your head or outside PCs, Cell Phones, Vaults etc etc. I might naive and inexperienced in these matters but at Kraken it only fails if one does not follow the safety procedures. And what happens if one looses ones Yubikey? I wonder!

Anonymous
>>63122691

Agreed. I'm a bit puzzled why this is even posted without first investing this. Right now, no one really knows the technical details of what happened. James should not lend himself to do send out this sort of panic alerts (without any further details). Just my 2 satoshi.

Anonymous

Does anyone know how to change your default email address on FTX.com ? (From Uk) can’t see any way to do this - help !

Anonymous

Make sure to quickly delete all text msgs from your bank so they cannot see them if they swap your SIM. Same for emails and make sure to promptly empty the trash folder.

Anonymous

I'm a happy Kraken user for the 4+ years but this story did remind me to change my password and set the Global Security Lock on Kraken which blocks the addition of wallet addresses and has a built-in 3 day wait for removing the GSL constraint - and immediately sends an email to alert me. I was also confused about how they got past the 2FA of Kraken, but thought the reference might be to phishing and hardware impersonation using the Ledger data breach from June/July 2020. You can Google "Kraken Security Labs phishing" or "Kraken Security Labs Ledger" for this story https://www.crowdfundinsider.com/2020/11/168808-kraken-security-labs-warns-cryptocurrency-investors-about-recent-phishing-attacks-related-to-ledger-hardware-wallet/ and here is a link to how to handle the Ledger breach: https://www.naray.law/en/news/how-to-handle-ledger-hack-data-breach/

Anonymous

@HODLnaut Thanks :) I like your approach

Anonymous

Can we do a video on this? Security and cold storage more in depth. I hear so many options out there and don't what to believe.

Anonymous

I would also Like to see a Video on Security, I have mine on an exchange, I hope its safe. but trusting myself with cold storage concerns me

Anonymous (edited)

Comment edits

2022-03-04 02:56:36 What VPN is everyone using?>
2021-11-13 17:17:50 What VPN is everyone using?>

What VPN is everyone using?>