Passwords of nearly 3500 Coinbase users stored in clear text

Coinbase user data

The leading cryptocurrency platform Coinbase reported a potential vulnerability, as a result of which the personal information of 3420 users, including passwords, was stored in clear text in the server’s internal log. According to the exchange, third parties did not receive unauthorized access to this data.

The California company also noted that they are talking about a very small part of customers with a total user base of more than 30 million people. All of them were sent letters informing them of a detected problem.

The identified bug, as Coinbase representatives say, was on the registration page.

The company notes that under very specific and rare conditions, the registration form did not load correctly, which is why any attempts to create a new account on Coinbase were unsuccessful. That also meant that the names, email addresses and entered passwords were sent to the internal journal.

If the user reloaded the page and successfully completed the registration, the entered information, as it should be, was not recorded, and the passwords were encrypted. However, in 3420 cases, users registered using a password whose hash corresponded to the hash recorded in the internal log.

At the moment, the vulnerability, according to Coinbase, has been completely eliminated, other forms of “problem behavior” on the platform have not been identified. Nevertheless, the company began introducing additional mechanisms to identify and prevent the inadvertent occurrence of such bugs in the future.

The company also claims to have investigated areas where data leakage could have occurred, including the system in Amazon Web Services and some third-party log analysis services, and has not detected any unauthorized access cases.

Nevertheless, despite the fact that Coinbase specialists are confident in correcting the initial cause of the problem and in the absence of unauthorized access, users whose data appeared in the server’s internal log will still have to change their passwords as a preventive measure.