This board has been archived, no new registrations are allowed. Please come join us on our discord!

[Urgent] Change all BTC Exchange PW's and API Keys

General Discussion about Haasbot.
Trade
Registered User
Posts: 85
Joined: Mon Dec 12, 2016 9:29 pm

[Urgent] Change all BTC Exchange PW's and API Keys

Postby Trade » Sat Feb 25, 2017 9:03 am

Many BTC Exchanges use Cloudflare for their distributed Web/API Backend, which has been vulnerable to the 'Cloudbleed' bug for the past 5 months leaking data/passwords.

Read more here:
https://themerkle.com/cloudbleed-data-l ... platforms/
http://www.nasdaq.com/article/using-a-b ... w-cm753133
https://news.bitcoin.com/cloudflare-bug ... oin-users/
https://blog.cloudflare.com/incident-re ... arser-bug/
https://bugs.chromium.org/p/project-zer ... il?id=1139
Last edited by Trade on Sun Feb 26, 2017 8:23 pm, edited 3 times in total.

User avatar
stephan
Administrator
Posts: 1047
Joined: Fri Sep 12, 2014 9:37 am
Contact:

Re: [Urgent] Change all BTC Exchange PW's and API Keys

Postby stephan » Sat Feb 25, 2017 11:54 am

This problem has been confirmed as so far we got signals that Kraken, Poloniex and BitPay has been affected. But sinds all the exchanges use Cloudflare as protection the list is expected to grow. We would give the advice for everybody to reset there passwords and API credentials. Its better to be safe then to be sorry.

Source: https://github.com/pirate/sites-using-cloudflare

Haasonline is also using Cloudflare but as far as we know we have not been attacked/hacked. We are keeping a close eye on this situation to see if it changes.
Join the telegram group too: https://t.me/haasonlineofficial

Trade
Registered User
Posts: 85
Joined: Mon Dec 12, 2016 9:29 pm

Re: [Urgent] Change all BTC Exchange PW's and API Keys

Postby Trade » Sat Feb 25, 2017 7:16 pm

Here is the notice posted at *Bitfinex* which has a few more details:

Security Notice and Reminder
February 24, 2017

On February 23rd, 2017, one of our service providers, CloudFlare, reported a serious security bug in their software. The bug caused approximately 1 in every 3,300,000 HTTP requests to leak sensitive data.

CloudFlare has fixed the bug in their software and reported that no Bitfinex data was present in the leaked data caches.

However, it is never a bad time to review your security processes and strengthen your passwords. The most important step you can take to secure your account is to enable two-factor authentication. Two-factor authentication (2FA) uses your phone or another device to add an extra layer of security for things like logging in and withdrawing funds.

Also please note that CloudFlare is a service provider for many other platforms and Bitcoin companies. Please take a few moments to check your other accounts and enable two-factor authentication on any that support this feature. You can update your Bitfinex password from the Account page and enable 2FA from the Security page.

If you have any questions, concerns, or want guidance on account security, please contact [email protected] and we will be happy to assist you.

Trade
Registered User
Posts: 85
Joined: Mon Dec 12, 2016 9:29 pm

Re: [Urgent] Change all BTC Exchange PW's and API Keys

Postby Trade » Sat Feb 25, 2017 8:17 pm

Note: I believe OKCoin.com is using Cloudflare.

www.okcoin.com
IP Address: 104.20.55.247
Name: CLOUDFLARENET

BitMEX seems to use AWS and not CloudFlare.

Trade
Registered User
Posts: 85
Joined: Mon Dec 12, 2016 9:29 pm

Re: [Urgent] Change all BTC Exchange PW's and API Keys

Postby Trade » Sat Feb 25, 2017 8:24 pm

Hi Stephan,

I guess it's possible if highly unlikely that 2FA Secrets images were leaked and cached on the internet.

Is it possible to change the 2FA Key inside of HTS? It doesn't seem to change if disabled/re-enabled or even if HTS is deleted/uninstalled.

Are the 2FA Keys for HTS generated and permanently/statically saved on the HTS Backend somewhere?

Thanks

User avatar
stephan
Administrator
Posts: 1047
Joined: Fri Sep 12, 2014 9:37 am
Contact:

Re: [Urgent] Change all BTC Exchange PW's and API Keys

Postby stephan » Sun Feb 26, 2017 10:37 am

The private key of the 2FA is based on the license data, so this is static per user. It can not be changed unless we setup a new license for it.

But... it does not really matter. The Haasbot itself is not protected by Cloudflare, we got a custom system for it. So the login of the Haasbot and the 2FA are still secure.

If you update the login and API credentials of the exchanges which you use then everything should be alright. We only use Cloudflare for the public website.
Join the telegram group too: https://t.me/haasonlineofficial

Trade
Registered User
Posts: 85
Joined: Mon Dec 12, 2016 9:29 pm

Re: [Urgent] Change all BTC Exchange PW's and API Keys

Postby Trade » Tue Feb 28, 2017 9:48 am



Return to “General Discussion”

Who is online

Users browsing this forum: No registered users and 8 guests