Coinbase Reveals Password Glitch Affecting 3,500 Customers

The rare bug impacted roughly .01 percent of the exchange's 30 million customers, Coinbase revealed Friday.

AccessTimeIconAug 16, 2019 at 8:00 p.m. UTC
Updated Aug 18, 2021 at 12:41 p.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Crypto exchange Coinbase disclosed a potential vulnerability Friday, announcing that a tiny fraction of its customers' passwords were stored in plain text on an internal server log. However, the information was not improperly accessed by outside parties, the exchange said.

In a post-mortem shared with CoinDesk, Coinbase outlined "a password storage issue," impacting less than 3,500 customers (out of more than 30 million worldwide) that briefly resulted in personal information, including the passwords, being stored in clear text on internal logging systems.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    The last regression video of the year 3.67.0
  • "Under a very specific and rare error condition, the registration form on our signup page wouldn’t load correctly, which meant that any attempt to create a new Coinbase account under those conditions would fail," the post explained. "Unfortunately, it also meant that the individual’s name, email address, and proposed password (and state of residence, if in the US) would be sent to our internal logs."

    In 3,420 instances, the potential customers used the same password on their second signup attempt, which would be successful but would result in their having a password that matches the hashed version on the company's logs. Those customers were notified by Coinbase via email on Friday.

    The bug occurred due to Coinbase's use of React.js server-side rendering on the signup page. Essentially, when a user visits the page to sign up for an account, React helps display the form that needs to be filled out.

    "Any user attempting to register needs to have JavaScript enabled, and needs to have that JavaScript load correctly," the post explained, adding:

    "In virtually all circumstances, both of these things are true, and React handles form validation and submission to the server. However, if a user had JavaScript disabled or their browser received a React.js error when loading, there was enough pre-rendered HTML that a user could fill out and attempt to submit our registration form."

    Because the HTML form "was extremely basic," no "action" or "method" attributes were set. Due to default behaviors, this resulted in some browsers defaulting to "GET," which encoded form variables as part of the log data.

    The exchange fixed the issue by switching the default form method to "POST," to ensure data is no longer logged.

    While Coinbase searched for other forms "with that problematic behavior," the exchange did not identify any.

    "We’re also in the process of implementing additional mechanisms to detect and prevent the inadvertent introduction of this sort of bug in the future," the blog post said.

    In response to the discovery, Coinbase said it tracked the various location where the logs might be stored, which included a system hosted on Amazon Web Services and some "log analysis service providers."

    "A thorough review of access to these logging systems did not reveal any unauthorized access to this data," the post said, adding that access to each of the systems is "tightly restricted and audited."

    Coinbase said it has also triggered password resets for any individual whose account was impacted. (The blog post added that it requires two-factor authentication on top of a password in order for users to log into accounts.)

    "While we are confident that we’ve fixed the root cause and that the logged information was not improperly accessed, misused, or compromised, we are requiring those customers to change their passwords as a best-practice precaution," the post explained.

    "As a reminder, Coinbase also maintains an active bug bounty program on HackerOne, which has paid out over a quarter of a million dollars to date. While this particular bug was discovered internally, we welcome security researchers to submit reports any time they believe they may have uncovered a flaw in one of our systems," the exchange concluded.

    Coinbase's disclosure comes on the heels of Binance and Huobi suffering from actual data breaches. Unlike Coinbase, Binance and Huobi appear to have lost control of client know-your-customer data, including identity verification documents.

    Brian Armstrong image via CoinDesk archives

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.