Coinbase Suffers From Information Bug That Exposed User Passwords Author: Max Moeller Last Updated: 16 August 2019 Coinbase, one of the most popular US-based cryptocurrency exchanges, revealed that it suffered from a system bug that “resulted in some registration details being stored in clear text in our internal web server logs.” The issue occurred via its sign-in page, in which users emails and passwords would be exposed. However, the Coinbase team is sure the information wasn’t abused and that the problem is fixed, they still advise everyone to change their passwords. In fact, the platform is making sure to send emails to customers affected, around 3,500 victims, to be exact. A summary of what happened, via a Coinbase blog post: “Under a very specific and rare error condition, the registration form on our signup page wouldn’t load correctly, which meant that any attempt to create a new Coinbase account under those conditions would fail. Unfortunately, it also meant that the individual’s name, email address, and proposed password (and state of residence, if in the US) would be sent to our internal logs.” The post goes on, stating that if a user had reloaded the sign-up page before putting their information in it, their info would have stayed secure. “However, in the 3,420 instances referenced above, the user successfully registered using a password with a hash that matched the one previously logged,” it reads. Coinbase then explains what they did after finding out: “After we identified and fixed the bug, we traced back all the places where these logs might have ended up. We have an internal logging system hosted in AWS, as well as a small number of log analysis service providers. Access to all of these systems is tightly restricted and audited. A thorough review of access to these logging systems did not reveal any unauthorized access to this data. Additionally, we triggered a password reset for impacted customers, even though a password alone is not sufficient to access a Coinbase account — our device verification emails and mandatory 2FA mechanisms would both have been triggered and blocked any unauthorized login attempts.” Overall, the team ends the post discussing the high standards they have for themselves, on top of their process for following up with their subsidiaries any time something goes wrong.