From Wednesday (April 10), Coinbase’s Security team will notify you if it finds your username (email address) and password in a “credential dump from another website”, and will automatically “lock your account” if that username-password combination is “currently valid for your Coinbase account,” thereby allowing you to change your Coinbase credentials before hackers try to get into your account.
What Is Credential Stuffing?
Credential stuffing is “a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.” It is “made possible because many users will reuse the same password across many sites, with one survey reporting that 81% of users have reused a password across two or more sites and 25% of users use the same password across a majority of their accounts.”
“With all of the massive credential dumps that have happened over the past few years, credential stuffing has become a serious threat to online services. Most people don't change their passwords regularly, so even older credential dumps can be used with relative success. And since password reuse is rampant, cybercriminals will generally test a set of credentials against numerous different websites.”
How Does Coinbase Securely Try to Protect You Against This Type of Attack?
In a post published to Coinbase’s Medium blog earlier today, Matt Muller, Head of Trust Operations at Coinbase, explains that when you create a Coinbase account, they” use an algorithm called bcrypt to irreversibly turn your plaintext password into a string of gibberish known as a ‘hash’ that is unique to your account. Since “bcrypt is a ‘one-way’ hash, nobody (including Coinbase) can decrypt it to figure out the underlying password.” Each time that you log in, they “run your password” through this algorithm again “to see if the same plaintext turns into the same hash,” and if it does, you are allowed to log in.
Coinbase uses the same idea for testing credentials that they find online. When they come across “a compromised email address and password,” they “check to see if that email address belongs to an existing Coinbase customer.” If this is the case, they “hash the exposed password using bcrypt” to see if it the resulting hash is the same as the hash previously saved for that email address. If it is, they will lock your account until you have had a chance to reset your password. If the two hashes are not the same, there is no further action they need to take.
Although the technique that Coinbase is employing here has been used by some other online companies, most notably Google, this might be the first time we have seen a crypto exchange publicly talk about it.
What Can You Do to Protect Yourself Against Credential Stuffing Attacks?
As the Wired article mentioned earlier noted, the best thing you can is “to use unique passwords for each of your digital accounts—ideally by using a password manager—and turn on two-factor authentication when it’s available.”