Coinbase Confesses: Buggy Signup Page Logged 3,420 Passwords in Unencrypted Form

Siamak Masnavi

Coinbase revealed on Friday (August 16) that a bug in their signup ("create account") page resulted in registration details (such as full name, email address, and passwords) for 3,420 customers to get logged in clear text in their internal web server logs.

What Happened

Coinbase's blog post says that under "a very specific and rare error condition," the registration form in their signup page "wouldn’t load correctly, which meant that any attempt to create a new Coinbase account under those conditions would fail."

Sadly, this resulted in the name, email address, and proposed password of the individual concerned to be saved in clear text (i.e. in unencrypted form) on Coinbase's internal logs.

If the person trying to register "reloaded the page and then submitted the form for a successful registration," the aforementioned registration information would not get logged (which is the correct behavior), and the proposed password would get "securely hashed," but in 3,420 instances, the user "successfully registered using a password with a hash that matched the one previously logged" (which is obviously not a good thing since it means that, in theory, certain Coinbase employees had access to the passwords for these new customers). 

How Coinbase Dealt With the Situation

Coinbase did several things to deal with this situation:

  • Managed to quickly identify and fix the bug.
  • Discovered "all the places where these logs might have ended up."
  • Extensively reviewed access to its internal logging system (hosted on Amazon's AWS), which is visible to "a small number of log analysis service providers"; this review "did not reveal any unauthorized access to this data."
  • Activated a password reset for all 3,420 affected customers despite the fact that knowing someone's password is not enough to gain access to that person's account since Coinbase's "device verification emails" and compulsory Two-Factor Authentication (2FA) mechanism would have "blocked any unauthorized login attempts."
  • Sent email to all 3,420 impacted customers to let them know what had happened and request that they choose new passwords.

Conclusion

Although it is easy to criticize Coinbase for not having had a perfect 100% defect-free implementation (even though bugs in almost any software system are practically inevitable), Coinbase should be highly commended for being so transparent with its customers by publicly making a full disclosure.

Finally, it is worth acknowledging that Coinbase has "an active bug bounty program on HackerOne, which has paid out over a quarter of a million dollars to date."

Featured Image Courtesy of Coinbase

Data Shows Hodlers Outperform Traders, Binance CEO Says

  • Binance CEO Changpeng "CZ" Zhao claims long-term cryptocurrency holders outperform traders.
  • Zhao said the crypto markets are still in their "early game" and that traders in 2025 will wish they had invested earlier. 

Binance chief executive officer Changpeng “CZ” Zhao has said that data shows long-term crypto holders outperform short-term traders.

In a series of tweets published May 24, CZ pointed out the irony of investors believing they got into cryptocurrency “too late” relative to the market, including himself. According to the exchange CEO, traders five years from now will likely be expressing a similar sentiment. 

CZ continued, explaining that he was initially envious of crypto investors who had been in the market since 2010 or 2011, despite being an early adopter himself. 

In response to a tweet asking whether “holding” is good financial advice, Binance’s chief executive revealed that data shows long-term crypto investors outperform traders. CZ commented on the difficulty of holding assets for a long period of time, which he called “passive” relative to the more active position of trading. 

Featured Image Credit: Photo via Pixabay.com