3,000+ Users Passwords Stored By Coinbase As Clear Text Files
The leading cryptocurrency platform Coinbase reported a potential vulnerability, as a result of which the personal information of 3420 users, including passwords, was stored as clear text in the internal servers. According to the representatives of exchange, third parties did not receive unauthorized access to this data.
The California company also noted that we are talking about a very small part of customers with a total user base of more than 30 million people. All of them were sent letters informing them of a detected problem.
The identified bug, as Coinbase representatives say, was on the registration page.
Under a very specific and rare error condition, the registration form on our signup page wouldn’t load correctly, which meant that any attempt to create a new Coinbase account under those conditions would fail. Unfortunately, it also meant that the individual’s name, email address, and proposed password (and state of residence, if in the US) would be sent to our internal logs, the company posts.
If the user reloaded the page and successfully completed the registration, the entered information, as it should be, was not recorded, and the passwords were encrypted. However, users registered using a password whose hash corresponded to the hash recorded in the internal servers in 3420 cases.
To date, the vulnerability has been completely eliminated, other forms of “problem behavior” on the platform have not been identified, as states Coinbase. Nevertheless, the company started introducing additional mechanisms to identify and prevent the inadvertent occurrence of such bugs in the future.
The company also claims to have investigated areas where data leaks could have occurred, including the system on Amazon Web Services and some third-party log analysis services and has not detected any unauthorized access cases.
Nevertheless, despite the fact that Coinbase specialists are confident in correcting the initial cause of the problem and in the absence of unauthorized access, users whose data appeared in the server’s internal log will still have to change their passwords as a preventive measure.
Recall that earlier this week Coinbase confirmed the purchase of the custodial service Xapo. Following the successful completion of the transaction, valued at $ 55 million, Coinbase Custody stores now host digital assets for more than $ 7 billion from 120 institutional clients from 14 countries.