Coinbase Says Security Failure Exposed 3,420 Names, Passwords and Email Addresses
The leading US crypto exchange Coinbase says it accidentally exposed the passwords of 3,420 customers due to a security glitch.
According to the exchange, some of its customers’ registration details were temporarily stored in plain text files on its internal server.
“Under a very specific and rare error condition, the registration form on our signup page wouldn’t load correctly, which meant that any attempt to create a new Coinbase account under those conditions would fail. Unfortunately, it also meant that the individual’s name, email address, and proposed password (and state of residence, if in the US) would be sent to our internal logs.”
Coinbase doesn’t think anyone found the files, but they’re taking precautionary measures in case anyone accessed the data.
“After we identified and fixed the bug, we traced back all the places where these logs might have ended up. We have an internal logging system hosted in AWS, as well as a small number of log analysis service providers. Access to all of these systems is tightly restricted and audited. A thorough review of access to these logging systems did not reveal any unauthorized access to this data.
Additionally, we triggered a password reset for impacted customers, even though a password alone is not sufficient to access a Coinbase account — our device verification emails and mandatory 2FA mechanisms would both have been triggered and blocked any unauthorized login attempts.”
The discovery comes after a potentially major breach on the crypto exchange Binance. The photos of more than 60,000 individual users who sent KYC information to the company have allegedly leaked. The photos were taken between 2018 and 2019.
In addition, a friendly white hat hacker also hacked into Binance Jersey’s Twitter account on Friday. Binance says it will offer a reward to the hacker for exposing a security loophole.
“On August 16, 2019 at 15:00 UTC, a white hat hacker was able to gain access to the @BinanceJE (Binance Jersey) Twitter account by social engineering the email domain name service provider used by Binance Jersey.
The white hat hacker posted a few tweets from the Twitter handle @BinanceJE, then deleted them. The white hat hacker was cooperative and open in his communications with our security team, and we were able to restore the domain name within a few minutes and the Twitter handle a couple of hours later. We will issue a security bug bounty to the white hat hacker, as well as investigate the incident further with our service provider. All funds on Binance.JE are safe. No data was compromised.”