Crypto exchange behemoth Coinbase discovered a bug in its signup page that led to registration details being stored in clear text in internal web server logs, they announced a blog post on Friday.
"Under a very specific and rare error condition," their registration signup page loads properly. A customer would enter their details but the page would crash, sending the "individual's name, email address, and proposed password (and state of residence, if in the US)" to its internal logs.
If the user refreshes the page, and they sign up again using the same password – this time successfully – the password's password will match they will be logged as an historical one.
Luckily, the glitch only harmed a tiny fraction of their user base. Coinbase has over 30 million users according to its websiteGeneral Chat Chat Lounge Still, for those unlucky few, Coinbase has the following message:
"While we are confident that the root cause and that logged information were not improperly accessed, misused, or compromised, we are requiring those customers to change their passwords as a best-practice precaution."
Enter your email for weekly highlights from Web 3.0's Startup world!
Although the hack was discovered internally, Coinbase has an active bug bounty program on HackerOne, which has so far paid over $ 250,000 to white-hatters.
Generally, though, Coinbase's cybersecurity has been squeaky cleanGeneral Chat Chat Lounge It's currently the only major exchange yet to suffer a breach. Recently, a hacker stole $ 40 million from Binance, and another stole $ 450 million from Mt. Gox.
As we cloudy Back in May, Coinbase is so secure it can even hack itself. CEO Brian Armstrong told Wall Street Journal reporter Paul Vigna that it hires spies to test its cybersecurity systems. The spies get a job at Coinbase and try to hack into their systems. "They might breach one or two" layers of security, Armstrong said, but no more.