Business & Finance

U.S. Biggest Crypto Exchange’s Fault Put 3.5k Users at Risk

California based crypto exchange Coinbase revealed on Friday that the company’s customer passwords, almost 3500 of them were accidentally stored on the company’s internal servers in plain text instead of encrypted text. The company did, however, inform that the internal servers were safe and nobody from the outside got any access to them.

Coinbase broke the news by posting a post-mortem report titled “password storage issue” on their blog, the company said that out of almost 30 million customers worldwide, only 3500 accounts were affected by the fault. The personal information of the customers, as well as the passwords, got stored in plain text instead of being encrypted.

“Under a very specific and rare error condition, the registration form on our signup page wouldn’t load correctly, which meant that any attempt to create a new Coinbase account under those conditions would fail. Unfortunately, it also meant that the individual’s name, email address, and proposed password (and state of residence, if in the US) would be sent to our internal logs.”

The company also sent emails to all 3,500 customers that were affected by the problem, according to the email by Coinbase. Due to a certain error, customers were asked to give their password again and in their second attempt, a hash version of the company’s logs was created that matched real password.

The problem occurred due to a bug in Coinbase’s react.js service side rendering that the company was using for its signup page. react.js helps in displaying the form on the sign-up page, thus the accounts affected were the new accounts created as well.

READ ALSO: Dealing in Cryptos Can Be Risky – FinCEN Warns Casino Owners

“Any user attempting to register needs to have JavaScript enabled, and needs to have that JavaScript load correctly. In virtually all circumstances, both of these things are true and React handles form validation and submission to the server. However, if a user had JavaScript disabled or their browser received a React.js error when loading, there was enough pre-rendered HTML that a user could fill out and attempt to submit our registration form.”

The company said that they will make sure that the bug doesn’t appear anywhere in the future. Coinbase also tracked all the forms on its website on which logs might be stored as the whole system hosted on Amazon Web Services was checked by the team of engineers.

“A thorough review of access to these logging systems did not reveal any unauthorized access to this data, the access to each of the systems is tightly restricted and audited.”

Coinbase further wrote in the post that the company has reset all the passwords for the affected accounts and now requires two-factor recognition for the people to log in the affected accounts. The company is also trying to fix the bug problem by aggressively pursuing its bounty program.

“As a reminder, Coinbase also maintains an active bug bounty program on HackerOne, which has paid out over a quarter of a million dollars to date. While this particular bug was discovered internally, we welcome security researchers to submit reports any time they believe they may have uncovered a flaw in one of our systems,”

READ ALSO: Bakkt Bitcoin Futures to Finally Bring Crypto Institutional Investment

Hassaan Malik

Co-founder of BlockPublisher, Hassaan is a technologist at heart with a keen interest in blockchain, cryptos and traditional financial markets. Email:,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.