Cryptocurrency exchange Coinbase has revealed a possible vulnerability, disclosing that a smaller part of its clients’ passwords was stored in clear text on an inner web server log.
As per its blog post, the 3,420 affected customers have been informed and were required to change their passwords. Coinbase, on the other hand, reassured that the root cause of the bug has been fixed and that the stored data was not “improperly accessed, misused, and compromised.”
Some of the users’ credentials were reportedly saved even when a signup error was prompted. Despite their registration being denied, their information including username, email address, state of residence in the U.S., and proposed password was saved.
The announcement further revealed that the 3,420 people used the same password on their second signup attempt, which would be successful, but the password then already matches the hashed version on the company’s logs. The said customers have been notified via email.
Coinbase said it already traced the different locations where the logs might be stored, including a system hosted on Amazon Web Services and some “log analysis service providers.”
“A thorough review of access to these logging systems did not reveal any unauthorized access to this data,” the post said, highlighting that each of the systems is “tightly restricted and audited.”
Meanwhile, the exchange also looked for other forms with “problematic behavior,” and it did not find any.
“We’re also in the process of implementing additional mechanisms to detect and prevent the inadvertent introduction of this sort of bug in the future,” the firm with over 30 million users said.
In addition, although the hack was discovered internally, Coinbase maintains an active bug bounty program on HackerOne, which has so far paid more than $250,000 to white-hatters.
“While this particular bug was discovered internally, we welcome security researchers to submit reports any time they believe they have uncovered a flaw in one of our systems.”
Just recently, reports have surfaced that Barclays has allegedly ended its banking relationship with Coinbase. The terminated relationship reportedly disrupted the exchange’s access to FPS, which means slower deposits and withdrawals in GBP for U.K. clients.