Loophole is built for high-stakes, policy-sensitive problems - which means account security isn’t optional. It’s core to how we operate.
Here’s how we protect your identity, data, and platform access:
1. Identity verification
Every user goes through manual or automated identity screening before their account is activated. This includes email verification and phone number verification - which helps prevent impersonation, fraud, and abuse.
We may also request:
Government-issued ID
Business documentation (if applicable)
Additional verification steps for higher-risk requests
2. Device and access controls
We monitor for suspicious logins, device fingerprint mismatches, and abnormal usage patterns.
You may be required to re-verify your identity if your device, location, or behavior changes
Accessing your account from unauthorized regions (outside the U.S., U.K., or Canada) will result in automatic denial
You can review your login history and flag any suspicious attempts for faster investigation. Learn more →
3. 2 Factor Authentication (2FA)
You can add a second sign-in step on top of your password from Settings → Security. With 2FA enabled, even if someone gets your password, they can't sign in without your second factor.
Loophole supports three 2FA methods:
Authenticator App - A 6-digit code from Google Authenticator, 1Password, Authy, or any TOTP app
Email Code - A 6-digit code sent to your account email
SMS Code - A 6-digit code texted to the phone number on your account
We strongly recommend turning on 2FA - especially if you've ever reused a password on another site. See: How do I set up 2 Factor Authentication?
4. Enterprise-grade edge protection
All Loophole traffic is routed through Cloudflare Enterprise - the same network protecting roughly 20% of the web. This means our defenses sit at the edge, well before any malicious request ever reaches our servers.
What that gets you:
Unmetered DDoS protection - Cloudflare's autonomous edge network mitigates volumetric and application-layer attacks at hundreds of data centers worldwide. Most attacks are detected and blocked in under three seconds.
Web Application Firewall (WAF) - Custom and managed rulesets continuously inspect incoming requests and block known exploits, injection attempts, and credential-stuffing patterns.
Advanced bot management - Every request gets a bot score from 1-99 using machine-learning models trained on Cloudflare's global traffic. Suspicious automated traffic is challenged or blocked before it can probe our systems.
Global threat intelligence - When a new attack pattern is identified anywhere on Cloudflare's network, that protection is applied to Loophole automatically. Our defenses evolve in real time based on global data.
Automatic IP banning - Suspicious login attempts and abuse patterns trigger immediate firewall rules at the Cloudflare level, blocking bad actors before they can retry.
Encrypted in transit - All traffic to and from Loophole is protected with TLS, terminated at Cloudflare's edge using modern certificate standards.
5. Platform restrictions
To protect the integrity of our tools:
Accounts are single-user only
Shared or duplicated accounts are banned
Proxies, VPNs, and anonymizers may trigger security flags
All activity is logged and reviewed for misuse patterns
6. Internal safeguards
Sensitive requests are access-restricted to vetted team members
All uploads, AI prompts, and generated outputs are encrypted in transit
Our infrastructure is monitored 24/7 for unusual behavior or intrusion attempts
If you think your account has been compromised:
Change your password immediately
Email Security [at] Loophole (dot) com with a summary of what happened
We may lock the account temporarily to investigate and protect your data