Crypto exchange behemoth Coinbase discovered a bug in its signup page that led to registration details being stored in clear text in internal web server logs, they announced in a blog post on Friday.
“Under a very specific and rare error condition,” their registration signup page wouldn’t load properly. A customer would enter their details but the page would crash, sending the “individual’s name, email address, and proposed password (and state of residence, if in the US)” to its internal logs.
If the user refreshed the page, and they signed up again using the same password–this time successfully–the password’s hash would match they one previously logged.
Luckily, the glitch only harmed a tiny fraction of their user base. Coinbase has over 30 million users according to its website. Still, for those unlucky few, Coinbase has the following message:
“While we are confident that we’ve fixed the root cause and that the logged information was not improperly accessed, misused, or compromised, we are requiring those customers to change their passwords as a best-practice precaution.”
Though the hack was discovered internally, Coinbase has an active bug bounty program on HackerOne, which has so far paid over $250,000 to white-hatters.
Generally, though, Coinbase’s cybersecurity has been squeaky clean. It’s currently the only major exchange yet to suffer a breach. Recently, a hacker stole $40 million from Binance, and another stole $450 million from Mt. Gox.
As we wrote back in May, Coinbase is so secure it can’t even hack itself. CEO Brian Armstrong told Wall Street Journal reporter Paul Vigna that it hires spies to test its cybersecurity systems. The spies get a job at Coinbase and try to hack into their systems. “They might breach one or two” layers of security, Armstrong said, but no more.
