Partager cet article
Coinbase Reveals Password Glitch Affecting 3,500 Customers
The rare bug impacted roughly .01 percent of the exchange's 30 million customers, Coinbase revealed Friday.
Par Nikhilesh De
Crypto exchange Coinbase disclosed a potential vulnerability Friday, announcing that a tiny fraction of its customers' passwords were stored in plain text on an internal server log. However, the information was not improperly accessed by outside parties, the exchange said.
In a post-mortem shared with CoinDesk, Coinbase outlined "a password storage issue," impacting less than 3,500 customers (out of more than 30 million worldwide) that briefly resulted in personal information, including the passwords, being stored in clear text on internal logging systems.
STORY CONTINUES BELOW
Ne manquez pas une autre histoire.Abonnez vous à la newsletter Crypto Daybook Americas aujourd. Voir toutes les newsletters
"Under a very specific and rare error condition, the registration form on our signup page wouldn’t load correctly, which meant that any attempt to create a new Coinbase account under those conditions would fail," the post explained. "Unfortunately, it also meant that the individual’s name, email address, and proposed password (and state of residence, if in the US) would be sent to our internal logs."
In 3,420 instances, the potential customers used the same password on their second signup attempt, which would be successful but would result in their having a password that matches the hashed version on the company's logs. Those customers were notified by Coinbase via email on Friday.
The bug occurred due to Coinbase's use of React.js server-side rendering on the signup page. Essentially, when a user visits the page to sign up for an account, React helps display the form that needs to be filled out.
"Any user attempting to register needs to have JavaScript enabled, and needs to have that JavaScript load correctly," the post explained, adding:
"In virtually all circumstances, both of these things are true, and React handles form validation and submission to the server. However, if a user had JavaScript disabled or their browser received a React.js error when loading, there was enough pre-rendered HTML that a user could fill out and attempt to submit our registration form."
Because the HTML form "was extremely basic," no "action" or "method" attributes were set. Due to default behaviors, this resulted in some browsers defaulting to "GET," which encoded form variables as part of the log data.
The exchange fixed the issue by switching the default form method to "POST," to ensure data is no longer logged.
While Coinbase searched for other forms "with that problematic behavior," the exchange did not identify any.
"We’re also in the process of implementing additional mechanisms to detect and prevent the inadvertent introduction of this sort of bug in the future," the blog post said.
In response to the discovery, Coinbase said it tracked the various location where the logs might be stored, which included a system hosted on Amazon Web Services and some "log analysis service providers."
"A thorough review of access to these logging systems did not reveal any unauthorized access to this data," the post said, adding that access to each of the systems is "tightly restricted and audited."
Coinbase said it has also triggered password resets for any individual whose account was impacted. (The blog post added that it requires two-factor authentication on top of a password in order for users to log into accounts.)
"While we are confident that we’ve fixed the root cause and that the logged information was not improperly accessed, misused, or compromised, we are requiring those customers to change their passwords as a best-practice precaution," the post explained.
"As a reminder, Coinbase also maintains an active bug bounty program on HackerOne, which has paid out over a quarter of a million dollars to date. While this particular bug was discovered internally, we welcome security researchers to submit reports any time they believe they may have uncovered a flaw in one of our systems," the exchange concluded.
Coinbase's disclosure comes on the heels of Binance and Huobi suffering from actual data breaches. Unlike Coinbase, Binance and Huobi appear to have lost control of client know-your-customer data, including identity verification documents.
Brian Armstrong image via CoinDesk archives
More For You
What to know:
- As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
- GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
- Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
More For You
LUNC Surges Over 160% in a Week as Do Kwon Sentencing and Token Burns Draw Traders
The rally is driven by speculation that a final verdict could bring clarity to the project, as well as technical factors like token burns.
What to know:
- Terra Classic (LUNC) surged 74% to $0.0000072, up 160% in the past week, on exploding trading volume, ahead of Terraform Labs founder Do Kwon's sentencing on Dec. 11.
- The rally is driven by speculation that a final verdict could bring clarity to the project, as well as technical factors like token burns, with 849 million LUNC destroyed in the past week.
- The token's momentum is also fueled by Binance's pause on LUNC withdrawals ahead of the Terra Chain's v2.18 upgrade, which aims to improve network stability, despite the token remaining volatile.
Top Stories
