CloudBleed and GDAX

Last night we became aware of a security bug with CloudFlare, a service GDAX uses for Denial of Service (DoS) protection. This bug, now commonly known as CloudBleed, led to the leak of data from services that use CloudFlare in very specific and relatively rare circumstances. We believe that the foundation of trust is transparency so we want to share a more in-depth analysis of how this event impacts GDAX customers.

To date, CloudFlare has identified about 150 CloudFlare clients (including GDAX) affected by the bug. Working with CloudFlare we identified only one instance of a leaked session cookie which we immediately invalidated. At this time we are aware of no further impact but our security team will continue to work closely with CloudFlare to determine what other data, if any, may have been exposed. We have no reason to believe that any GDAX customers personal data or accounts have been compromised. GDAX’s overall security architecture is designed to minimize the presence of any long term authentication credentials for risks like this.

We will continue to monitor the situation and provide further updates on our blog or Twitter if we become aware of additional information. You can also reach out to us anytime at