Cryptocurrency exchange platform Coinbase announced on Friday it recently began emailing a total of 3,420 of its customers to let them know that a bug in its signup resulted in some registration details being stored in clear text in its internal web server logs. Coinbase reported that under a “rare error condition,” the regstristation form on its sign up wouldn’t load correctly. This meant that the signup individual’s name, email address, proposed password, and state of residence (if in the U.S.) would be sent to Coinbase’s internal logs.
“If the individual reloaded the page and then submitted the form for a successful registration, their registration information would (correctly) notbe logged, and the password would be securely hashed. However, in the 3,420 instances referenced above, the user successfully registered using a password with a hash that matched the one previously logged.”
Coinbase further explained that after its team identified and fixed the bug, they traced back all the places where theology might have ended up.
“We have an internal logging system hosted in AWS, as well as a small number of log analysis service providers. Access to all of these systems is tightly restricted and audited. A thorough review of access to these logging systems did not reveal any unauthorized access to this data.”
Coinbase’s team then triggered a password reset for impacted customers. The platform went on to add:
“We maintain incredibly high standards for securing the Coinbase platform, and any time we fall even slightly short of those standards, we mobilize a team to figure out what went wrong, and how we prevent it from happening again. We also believe in being transparent with our customers, which is why we’re sharing the results of our investigation today.”