PSA - Kraken breach of security

This is the email I have received this morning:

We wanted to let you know of a data breach incident at Zendesk that included a limited amount of your personal data.

First and foremost, your Kraken account is secure.

The affected data relates to Kraken Support messages exchanged between October 8th and October 25th, 2022. We want to explain the steps we’re taking to minimize the potential harm, and to let you know what steps you can take to protect yourself.

Here are some more details:

A few weeks ago, you had an interaction with the Kraken Support team. We use a third party support ticketing system, Zendesk, to manage these requests.

A “phishing attack” against a Zendesk employee resulted in unauthorized access to Zendesk’s logging system that mistakenly contained a sampling of customer support tickets.

Zendesk’s system has now been secured and our security team is working with them to improve their security practices.

At no time did the unauthorized individual have access to your account nor have your funds been at risk. The unauthorized third party was able to view the contents of the support tickets, which contained the following:

Personally identifiable information, such as your name, email, DOB or phone number

What happens now?

The unauthorized individual could try to use the exposed data to attempt to capture more information through online searching or by reaching out to you directly as part of a subsequent “phishing attack”. Phishing attacks are when an attacker impersonates a person or organization in order to gain additional information about you or to get you to perform an action. For example, a bad actor may email (or call) you pretending to be Kraken, asking you to provide your username and password.

Do not provide your username or password under any circumstances, and let us know if you receive anything suspicious.

Additional steps you can take:

Let us know if you receive any suspicious messages.

Be alert to “Phishing attacks” and anyone reaching out to you pretending to be from Kraken (pay attention to the exact email address, emails from us always end with kraken.com and we’ll never ask for your username and password).

If you don’t already use one, we recommend using a password manager as an effective way of keeping your accounts secure without having to remember hundreds of passwords.

If you don’t utilize multi-factor (eg. 2FA) authentication on your personal email and/or Kraken account, we recommend you do so today.

If you use your mobile phone for 2FA or account recovery, please read our blog post on the topic: https://blog.kraken.com/post/219/security-advisory-mobile-phones/

Follow additional guides for securing online accounts, written by Kraken’s security team, at: https://canisecure.com/guides/

As an additional line of defense, let us know if you’d like us to put a temporary withdrawal hold on your account that can be removed based on your preference.

We do careful due diligence on all third party vendors and continually revise our terms of engagement to reflect best practices and align their standards to ours.

We sincerely apologize for the inconvenience and increased personal risk that this event has created. We will credit your Kraken account with $100 worth of fee credits (KFEE) within 2 weeks to help offset any costs related to enhancing your own security and you will receive an email notification when it is available for use. If you don’t already have a U2F Security key, we recommend the YubiKey 5 Series, which works with the most popular services, such as Gmail, Reddit and Twitter: https://www.yubico.com/store/#yubikey-5-series

Please feel free to ask us any questions. Thank you.

The Kraken Team

Actually I had an email exchange with Kraken support at the beginning of october, for my KYC compliance. So I'm not sure I'm entirely involved in this breach - it depends on which kind of assets the attackers managed to put their hands on.

But as always, be vigilant. Always act as your personal data (ID, tax ID, place of Birth, phone number, workplace, physical address, etc) are of public domain. This could help in the case of low-effort attacks. Unfortunately, this kind of data breaches are more common every year.

P.s.: remember that no one by any company will write you in your DMs.