Coinbase’s Latest Line of Defense Against a ‘Credential Stuffing’ Attack on Your Account

From Wednesday (April 10), Coinbase's Security team will notify you if it finds your username (email address) and password in a "credential dump from another website", and will automatically "lock your account" if that username-password combination is "currently valid for your Coinbase account," thereby allowing you to change your Coinbase credentials before hackers try to get into your account.

What Is Credential Stuffing?

Credential stuffing is "a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application." It is "made possible because many users will reuse the same password across many sites, with one survey reporting that 81% of users have reused a password across two or more sites and 25% of users use the same password across a majority of their accounts."

Crane Hassold, a Senior Director of Threat Research at the digital fraud defense firm Agari told Wired in February:

"With all of the massive credential dumps that have happened over the past few years, credential stuffing has become a serious threat to online services. Most people don't change their passwords regularly, so even older credential dumps can be used with relative success. And since password reuse is rampant, cybercriminals will generally test a set of credentials against numerous different websites."

How Does Coinbase Securely Try to Protect You Against This Type of Attack?

In a post published to Coinbase's Medium blog earlier today, Matt Muller, Head of Trust Operations at Coinbase, explains that when you create a Coinbase account, they" use an algorithm called bcrypt to irreversibly turn your plaintext password into a string of gibberish known as a 'hash' that is unique to your account. Since "bcrypt is a 'one-way' hash, nobody (including Coinbase) can decrypt it to figure out the underlying password." Each time that you log in, they "run your password" through this algorithm again "to see if the same plaintext turns into the same hash," and if it does, you are allowed to log in.

Coinbase uses the same idea for testing credentials that they find online. When they come across "a compromised email address and password," they "check to see if that email address belongs to an existing Coinbase customer." If this is the case, they "hash the exposed password using bcrypt" to see if it the resulting hash is the same as the hash previously saved for that email address. If it is, they will lock your account until you have had a chance to reset your password. If the two hashes are not the same, there is no further action they need to take. 

Although the technique that Coinbase is employing here has been used by some other online companies, most notably Google, this might be the first time we have seen a crypto exchange publicly talk about it.

What Can You Do to Protect Yourself Against Credential Stuffing Attacks?

As the Wired article mentioned earlier noted, the best thing you can is "to use unique passwords for each of your digital accounts—ideally by using a password manager—and turn on two-factor authentication when it's available."

Featured Image Credit: Photo by "TheDigitalArtist" via


Weekly Newsletter

Two Brazilian Crypto Exchanges Close Following Change in Tax Laws

  • Two Brazilian exchanges have been forced to close in the face of strict new regulations.
  • Exchanges are required to keep track of all transactions made with cryptocurrency or pay fines. 

Two Brazilian cryptocurrency exchanges have been forced to shut down following the enactment of new tax laws. 

Following reports of rampant cryptocurrency-related fraud in 2019, Brazilian politicians have created and enforced new tax regulations for the industry of cryptocurrency. 

According to a report by, exchanges Acesso and Latoex are two of the first casualties of the increased regulation. Both exchanges have decided to end operation, rather than pay the hefty fines and comply with strict regulation in the face of shrinking trading volume. 

Pedro Nunes, co-founder of Acesso Bitcoin, told Portal do Bitcoin, 

After the Federal Revenue Service introduced these rules we noticed a significant decrease in the traded volume. We also feel that the market has cooled off for smaller exchanges.

The new regulations, implemented in August 2019, require traders and brokerages to report all transactions involving cryptocurrencies. Failure to comply results in penalties ranging from 500 BRD to 1500 BRD ($120 - $360). 

Exchanges say that compliance with the new regulation requires expensive investment into new resources, which has been untenable for smaller and less profitable organizations.

Featured Image Credit: Photo via