A bug could have lost the users of Coinbase a lot of money, confesses the exchange itself in its latest blog post.
Coinbase Holds Its Hands Up
The Friday “post mortem” revealed that an error on Coinbase sign-up page saved customers’ information on Coinbase internal web server logs – in a clear text. So a password writing which, say, looks like “123456” was appearing like “123456” to the staff at the San Francisco-based cryptocurrency firm. Ideally, it could have been hashed into non-readable text.
The bug, Coinbase admitted, affected 3,420 customers in total. Excerpts from their statement:
Under [a very specific] and rare error condition, the registration form on our signup page wouldn’t load correctly, which meant that any attempt to create a new Coinbase account under those conditions would fail. Unfortunately, it also meant that the individual’s name, email address, and proposed password (and state of residence, if in the US) would be sent to our internal logs.
The exchange said users who resubmitted the form had their password and other details hashed securely. Unfortunately, the 3,420 customers, as mentioned above, accidentally logged their private data onto Coinbase servers.
Coinbase Has Discovered A Password Bug: One of the largest exchanges in the crypto space, Coinbase, has discovered a bug that may affect around 3420 users. According to a blog post by Coinbase, the sign-up page ended storing registration details… https://t.co/eim1PUn0CF pic.twitter.com/sdBZbQRuCI
— Nacho Sanzu © 🇪🇸 (@morodog) August 18, 2019
No Damage Reported
Coinbase behaved like a good Samaritan and fixed the issue on top priority. The firm asserted that they traced the entire line of storage to confirm that it was not holding any of customers’ personal information.
We have an internal logging system hosted in AWS, as well as a small number of log analysis service providers,” wrote Coinbase. “Access to all of these systems is tightly restricted and audited. A thorough review of access to these logging systems did not reveal any unauthorized access to this data.
The firm also triggered a password reset for affected customers. It asserted that a password alone could not have a potential hacker steal their bitcoins, explaining that they protect each account with mandatory email and 2FA authentications.
We maintain incredibly high standards for securing the Coinbase platform, and any time we fall even slightly short of those standards, we mobilize a team to figure out what went wrong, and how we prevent it from happening again. We also believe in being transparent with our customers, which is why we’re sharing the results of our investigation today.
The alert came at a time when institutional investors are taking concrete steps towards introducing bitcoin in their portfolio. Security, nevertheless, has remained one of their top concerns, given the cryptocurrency custodians’ history of letting hackers steal billions of dollars worth of assets right under their nose.
Coinbase, a US-regulated entity, has never been hacked. The exchange maintains commercial, criminal insurance – an aggregate amount that is greater than the value of the digital currency it keeps in online storage.