The attacker was able to empty the balance on accounts with the API key enabled. The issue is being actively looked upon. API access has been disabled.
Everyone who has lost money will be fully reimbursed.
i assume you will make an announcement detailing the full extent of the compromise and what is being done to patch the vulnerability? this makes me very worried to keep funds on there?
i never enabled api key. are my wallets secure?
I would assume so. API keys are very dangerous. They have full access to your account. Never enable api keys for an account you are actually using if you are not using it for development purposes. Create secondary accounts if you want to play with API's. Everyone should also make sure all their accounts on other exchanges/online wallets don't have API's enabled if you aren't using them.
In either case. I have withdrawn my funds temporarily until we get a proper update and a full understanding of what happened.