Febuary 25, 2017

Cloudflare's parser bug has far-reaching impact

Due to the widespread impact of Cloudflare's recently-discovered parser bug (also known as CloudBleed), we highly recommend that our users change their passwords and enable 2FA immediately. API users should also generate new keys.

This affects many more sites than Poloniex, including other exchanges. It is imperative to use unique passwords and 2FA for all services you use.

What happened?

Cloudflare is a content distribution provider that supports some of the most highly trafficked sites on the internet, including Yelp, Medium, and The New York Times.

A Google researcher recently uncovered a flaw where, under certain circumstances, sensitive user information could leak based on the way Cloudflare was parsing and caching HTTP requests. Since Poloniex utilizes Cloudflare's content distribution services, there is a chance that some of our customer's private information could have been revealed.

What is the likelihood that this affects me?

Although it is possible that data leaked from any request made between September 22, 2016 and February 18, 2017, it is estimated that the vast majority of leaks occurred during the final week of the bug, when approximately 0.00003% of HTTP requests were affected. Although it is unlikely your data was leaked, you should assume that all sensitive data submitted to, or received from, any affected site could have been revealed during the 6 months the bug was active. This data includes your username and password if you logged in during this period, your 2FA secret key if you enabled 2FA during this period, and any API secret keys you viewed during this period.

Cloudflare is unable to determine exactly what information was compromised during the affected period. We do know that the bug has since been patched.

What can I do about it?

We urge all Poloniex users to change their passwords and enable 2FA. API users should delete any keys viewed or generated on or before February 18th and create new ones. We highly recommend API users utilize the IP whitelisting feature for all keys.

In addition, you should immediately change your password and enable 2FA if you have accounts on any of the affected sites indicated in this running list. For your safety, it is critical that you use unique passwords and 2FA for all services you use.

- The Poloniex team