Major crypto platform Coinbase has emailed 3,420 Coinbase customers to disclose an accident with customer registration. Some registration details were apparently stored in clear text on the logs of Coinbase’s internal server, with affected customers now required to change their passwords.
Coinbase announced the news in an official blog post on Aug. 16. According to the announcement, Coinbase has resolved the root cause of the bug and the platform is confident that stored data was not “improperly accessed, misused, or compromised.”
Some users’ credentials were saved when a rare signup error occurred. When users encountered this error, Coinbase would deny their registration but still save their credentials, including username, email address, proposed password and state of residence for United States-based users.
Moreover, the announcement specified that the 3,420 individuals then submitted a new registration application, in which they used the same password. Coinbase was apparently able to determine this because the password hash would match the earlier password hash saved from the failed signup attempt.
Coinbase also reassured users that none of the data recorded in their logging system appears to have been accessed and that they have contacted all of the affected users. Per the announcement, Coinbase uses Amazon Work Station (AWS) for its internal logging, and it shares data with a few log analysis services. These analysis services, as well as AWS, are all audited, and access to the info is said to be tightly restricted.
Coinbase has expanded its custodial arm, Coinbase Custody, with the recent acquisition of crypto wallet Xapo’s industrial services. This recent acquisition has bumped up Coinbase’s assets under custody to $7 billion. According to the announcement, Coinbase Custody is now the largest crypto custodian by AUC in the world, with 120 clients spanning 14 different countries.