California based crypto exchange Coinbase revealed on Friday that the company’s customer passwords, almost 3500 of them were accidentally stored on the company’s internal servers in plain text instead of encrypted text. The company did, however, inform that the internal servers were safe and nobody from the outside got any access to them.
Coinbase broke the news by posting a post-mortem report titled “password storage issue” on their blog, the company said that out of almost 30 million customers worldwide, only 3500 accounts were affected by the fault. The personal information of the customers, as well as the passwords, got stored in plain text instead of being encrypted.
“Under a very specific and rare error condition, the registration form on our signup page wouldn’t load correctly, which meant that any attempt to create a new Coinbase account under those conditions would fail. Unfortunately, it also meant that the individual’s name, email address, and proposed password (and state of residence, if in the US) would be sent to our internal logs.”
The company also sent emails to all 3,500 customers that were affected by the problem, according to the email by Coinbase. Due to a certain error, customers were asked to give their password again and in their second attempt, a hash version of the company’s logs was created that matched real password.
The problem occurred due to a bug in Coinbase’s react.js service side rendering that the company was using for its signup page. react.js helps in displaying the form on the sign-up page, thus the accounts affected were the new accounts created as well.
The company said that they will make sure that the bug doesn’t appear anywhere in the future. Coinbase also tracked all the forms on its website on which logs might be stored as the whole system hosted on Amazon Web Services was checked by the team of engineers.
“A thorough review of access to these logging systems did not reveal any unauthorized access to this data, the access to each of the systems is tightly restricted and audited.”
Coinbase further wrote in the post that the company has reset all the passwords for the affected accounts and now requires two-factor recognition for the people to log in the affected accounts. The company is also trying to fix the bug problem by aggressively pursuing its bounty program.
“As a reminder, Coinbase also maintains an active bug bounty program on HackerOne, which has paid out over a quarter of a million dollars to date. While this particular bug was discovered internally, we welcome security researchers to submit reports any time they believe they may have uncovered a flaw in one of our systems,”