CloudBleed and GDAX
Last night we became aware of a security bug with CloudFlare, a service GDAX uses for Denial of Service (DoS) protection. This bug, now commonly known as CloudBleed, led to the leak of data from services that use CloudFlare in very specific and relatively rare circumstances. We believe that the foundation of trust is transparency so we want to share a more in-depth analysis of how this event impacts GDAX customers.
To date, CloudFlare has identified about 150 CloudFlare clients (including GDAX) affected by the bug. Working with CloudFlare we identified only one instance of a leaked session cookie which we immediately invalidated. At this time we are aware of no further impact but our security team will continue to work closely with CloudFlare to determine what other data, if any, may have been exposed. We have no reason to believe that any GDAX customers personal data or accounts have been compromised. GDAX’s overall security architecture is designed to minimize the presence of any long term authentication credentials for risks like this.