On the 24th and 25th of July, we experienced two outages that required unexpected maintenance and restarting of the nodes. For the past two days, our developers have been working extremely hard and have been entirely focused only on locating and fixing this issue. As promised, we would like to let our users know the cause of these downtimes.
The first downtime took place at 16:34 UTC, on the 24th of July, and the second downtime took place at 2:26 UTC, on the 25th of July.
Our development team has identified the issue as a vulnerability in one of the API endpoints, which allowed for a potential DoS attack. This endpoint has been temporarily disabled, while the vulnerability got eliminated.
After the second downtime, we started rebooting our servers. However, when the system was back online, there was no cancel only period. Due to this, some stop-loss orders were triggered, which should not have happened. We have already determined customers eligible for reimbursement, and our customer support team will reach out to you.
We want to apologize to our users who put their trust in us and experienced issues due to this unfortunate situation.
We are continuously working on improving our system, and our top priority is the minimization of downtimes. In the last few weeks, we have been focusing solely on that. We have been working on adding two new nodes and new, very experienced system administrators have joined our team. We take each of these incidents very seriously, and our development team does everything it can to prevent these issues from happening again.
We are grateful for your understanding and hope you continue to enjoy trading at Deribit!
Securing your online accounts has never been more important, and with cryptocurrencies this should be your number one priority. Cryptocurrencies make it very easy to move huge sums around digitally, and extremely quickly. If someone gains access to your accounts and moves the funds out, there is little to no chance of getting it back so you need to make sure that you are the only person who ever has access.
Thankfully, there are steps you can take to make your account as secure as possible:
Two Factor Authentication (2FA)
When you only have a username and a password, all a hacker needs to gain access to your account are these two pieces of information. As they are static, this alone does not offer very good protection, particularly if you reuse these details somewhere else!
2FA adds an extra layer of security by requiring another piece of information that changes every 30 seconds. This code is generated using an authenticator app such as Google Authenticator App. This program is completely free to use and you can download it via the Google Play store.
To go that one step further, you could also install the Google Authenticator app itself on a separate dedicated device that is kept completely offline. A cheap phone will do, but one with a camera is useful for scanning the QR codes. It doesn’t need to be powerful at all as it wont even have a sim card in it and you will only be using it for the google authenticator app. Once you have installed the app, put the phone on flight mode and disable wifi.
Some websites offer 2FA via SMS. This is much less secure than using the app because all a hacker needs to do is clone or port your phone number over to theirs to receive the codes by text.
2FA On Your Email
An increasing number of email providers have a 2FA option for logging in. Gmail for example, have been offering this for a while now.
If your email provider offers this, use it! If they don’t, switch to one that does.
It is also a good idea to remove your phone number from your email account so hackers can not use it to ‘recover’ the account. To prevent a technique called sim-swapping it is also a good idea to remove your phone number from your email account so hackers can not use it to ‘recover’ the account.
To put it bluntly, not using two factor authentication when it’s available; free and adds so much security to your account and funds, is just plain stupid!
Use Unique Passwords
This one should be obvious, but you should be using a different password for every account you have. If you use the same password for everything, all that needs to happen for your information to be compromised is for one of the likely hundreds of websites/services you use, to be hacked.
When hackers steal information from one website, they will try many other sites with the same information. Anyone using the exact same details will have just handed the hackers a master key to their entire online lives. By using the same details everywhere, your security is only as good as the weakest of all those accounts.
Keeping track of all those passwords can be a real pain, and storing them online or on your computer in an easy to access format is not a good idea at all. Thankfully though, there is software out there that will do it for you. These software programs are called password managers. They store each of your login details in an encrypted database. And some of them also now offer 2FA as well. So you just need to remember one log in to this database, and the database remembers everything else for you.
You can also consider using encrypted external hard drives to store the information. This way it’s not even connected to the outside world.
Use Unique Emails
Following on from using unique passwords, using unique emails means that even if another website gets hacked, and all the user information is compromised, this hacker will have absolutely no useful information about you to try on other websites.
When you are choosing email addresses, try to avoid using your full name. By using your full name, you are handing over free information for no reason. Also avoid using predictable variations.
If for example a website is hacked and they have your email address as Mark.Smith.HackedWebsiteName@gmail.com, it’s not exactly going to be difficult for them to guess what your Deribit or any other website email is.
It doesn’t have to be a completely random string of letters, something as simple as M.S.RandomWord@gmail.com would suffice.
By using this feature, you can maintain unique logins at each different website, while taking advantage of the protection 2FA on the main Gmail account provides, and manage the addresses from the same inbox.
As an added bonus using different emails for each site will also help you pin down which websites either sell your data to third parties or have poor security.
Storing Your Login Details
The following information should be treated as highly confidential information: -Email -Password -Original 2FA key -2FA backup codes Do not store any of this information in plain text form or on any device that is always attached to the internet. It’s not going to do you much good to have all this security set up correctly if you leave all the keys a hacker needs in a handy text document on your desktop or in a google document online.
Private Messages On Telegram
There has been an increase in the number of users receiving private messages from fake support accounts on Telegram. They are often named things like ‘Deribit Support Team’. These accounts are all fake and the scammers will attempt to get you to either: send them money or hand over personal/login details. Under no circumstances should you do either of these things.
Deribit will never ask you to send us money, and we will never ask for your password/2FA codes. If you are in any doubt simply email us directly at firstname.lastname@example.org or ask in the main support chat room here: https://t.me/deribit In the above chat room, users with ‘admin’ next to their name are Deribit employees.