Unfortunately, it's hard to go into details as to what could have happened without any details of your account or the compromise. Which type of 2FA do you have enabled for login and funding? Our 2FA options from least secure to most secure are static password, Google Authenticator and Yubikey.

I would tend to agree with you when you say that our clients should not solely rely on 2FA. While it can be a good security measure, we have other security measures in place to make your account security rock solid.

For example, if your password and 2FA are both stored on your phone and it was accessed by a bad actor, they could log into your Kraken account. However, if you have a Global Settings Lock set up that means they can't see any of your information (such as address, phone number etc.) and they can't change any details on your account (such as withdrawal address, email address etc.). Essentially they've just accessed an account that they can do absolutely nothing with. The one downside that we see come up with our clients is that if they've set a Global Settings Lock, they need to wait the 3-30 days in order to change details on their Kraken account. Kraken support also cannot remove it or change any details on the account.

This is where the Masterkey comes into play. If you have a Masterkey set up on your Kraken account (which again, can be a static password, Google Authenticator or Yubikey) you can bypass your 2FA as well as the Global Settings Lock. It's a very powerful tool, so it needs to be kept completely separate from where you store your password and 2FA. If a bad actor has your password, 2FA and Masterkey, they've got everything they need to remove funds from your account.

Thanks for your post. I hope this helps in understanding what security measures we offer and how to best protect your hard earned crypto. If you have any other details you'd like to share you can always send me a private message or reply to your ticket again.