BTC
$110,583.11
+
3.90%
ETH
$2,660.45
+
4.74%
USDT
$1.0000
-
0.02%
XRP
$2.4307
+
3.26%
BNB
$682.30
+
4.70%
SOL
$179.36
+
6.61%
USDC
$0.9997
-
0.01%
DOGE
$0.2432
+
7.80%
ADA
$0.7978
+
6.23%
TRX
$0.2725
+
1.14%
SUI
$4.1441
+
8.31%
LINK
$16.56
+
5.20%
AVAX
$24.29
+
8.40%
XLM
$0.2999
+
4.25%
SHIB
$0.0₄1539
+
5.75%
HYPE
$31.59
+
2.52%
HBAR
$0.2031
+
3.88%
BCH
$417.12
+
5.27%
LEO
$8.8502
+
0.87%
TON
$3.1771
+
4.25%
Logo
  • News
  • Prices
  • Data
  • Indices
  • Research
  • Events
  • Sponsored
  • Sign In
  • Sign Up
Markets
Share this article
X iconX (Twitter)LinkedInFacebookEmail

Coinbase Reveals Password Glitch Affecting 3,500 Customers

The rare bug impacted roughly .01 percent of the exchange's 30 million customers, Coinbase revealed Friday.

By Nikhilesh De
Updated Sep 13, 2021, 11:20 a.m. Published Aug 16, 2019, 8:00 p.m.
Coinbase CEO Brian Armstrong
Coinbase CEO Brian Armstrong

Crypto exchange Coinbase disclosed a potential vulnerability Friday, announcing that a tiny fraction of its customers' passwords were stored in plain text on an internal server log. However, the information was not improperly accessed by outside parties, the exchange said.

In a post-mortem shared with CoinDesk, Coinbase outlined "a password storage issue," impacting less than 3,500 customers (out of more than 30 million worldwide) that briefly resulted in personal information, including the passwords, being stored in clear text on internal logging systems.

STORY CONTINUES BELOW
Don't miss another story.Subscribe to the Crypto Daybook Americas Newsletter today. See all newsletters
By signing up, you will receive emails about CoinDesk products and you agree to our terms of use and privacy policy.

"Under a very specific and rare error condition, the registration form on our signup page wouldn’t load correctly, which meant that any attempt to create a new Coinbase account under those conditions would fail," the post explained. "Unfortunately, it also meant that the individual’s name, email address, and proposed password (and state of residence, if in the US) would be sent to our internal logs."

In 3,420 instances, the potential customers used the same password on their second signup attempt, which would be successful but would result in their having a password that matches the hashed version on the company's logs. Those customers were notified by Coinbase via email on Friday.

The bug occurred due to Coinbase's use of React.js server-side rendering on the signup page. Essentially, when a user visits the page to sign up for an account, React helps display the form that needs to be filled out.

"Any user attempting to register needs to have JavaScript enabled, and needs to have that JavaScript load correctly," the post explained, adding:

"In virtually all circumstances, both of these things are true, and React handles form validation and submission to the server. However, if a user had JavaScript disabled or their browser received a React.js error when loading, there was enough pre-rendered HTML that a user could fill out and attempt to submit our registration form."

Because the HTML form "was extremely basic," no "action" or "method" attributes were set. Due to default behaviors, this resulted in some browsers defaulting to "GET," which encoded form variables as part of the log data.

The exchange fixed the issue by switching the default form method to "POST," to ensure data is no longer logged.

While Coinbase searched for other forms "with that problematic behavior," the exchange did not identify any.

"We’re also in the process of implementing additional mechanisms to detect and prevent the inadvertent introduction of this sort of bug in the future," the blog post said.

In response to the discovery, Coinbase said it tracked the various location where the logs might be stored, which included a system hosted on Amazon Web Services and some "log analysis service providers."

"A thorough review of access to these logging systems did not reveal any unauthorized access to this data," the post said, adding that access to each of the systems is "tightly restricted and audited."

Coinbase said it has also triggered password resets for any individual whose account was impacted. (The blog post added that it requires two-factor authentication on top of a password in order for users to log into accounts.)

"While we are confident that we’ve fixed the root cause and that the logged information was not improperly accessed, misused, or compromised, we are requiring those customers to change their passwords as a best-practice precaution," the post explained.

"As a reminder, Coinbase also maintains an active bug bounty program on HackerOne, which has paid out over a quarter of a million dollars to date. While this particular bug was discovered internally, we welcome security researchers to submit reports any time they believe they may have uncovered a flaw in one of our systems," the exchange concluded.

Coinbase's disclosure comes on the heels of Binance and Huobi suffering from actual data breaches. Unlike Coinbase, Binance and Huobi appear to have lost control of client know-your-customer data, including identity verification documents.

Brian Armstrong image via CoinDesk archives

CoinbaseExchangesNewsBugsMarkets News
Nikhilesh De

Nikhilesh De is CoinDesk's managing editor for global policy and regulation, covering regulators, lawmakers and institutions. He owns < $50 in BTC and < $20 in ETH. He won a Gerald Loeb award in the beat reporting category as part of CoinDesk's blockbuster FTX coverage in 2023, and was named the Association of Cryptocurrency Journalists and Researchers' Journalist of the Year in 2020.

X icon
Nikhilesh De

This is your last article this month.

Sign up for free

About

  • About Us
  • Masthead
  • Careers
  • CoinDesk News
  • Crypto API Documentation

Contact

  • Contact Us
  • Accessibility
  • Advertise
  • Sitemap
  • System Status
DISCLOSURE & POLICES
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.
EthicsPrivacyTerms of UseCookie SettingsDo Not Sell My Info

© 2025 CoinDesk, Inc.
X icon
Sign Up
  • News
    Back to menu
    News
    • Markets
    • Finance
    • Tech
    • Policy
    • Focus
  • Prices
    Back to menu
    Prices
    • Data
      Back to menu
      Data
      • Trade Data
      • Derivatives
      • Order Book Data
      • On-Chain Data
      • API
      • Research & Insights
      • Data Catalogue
      • AI & Machine Learning
    • Indices
      Back to menu
      Indices
      • Multi-Asset Indices
      • Reference Rates
      • Strategies and Services
      • API
      • Insights & Announcements
      • Documentation & Governance
    • Research
      Back to menu
      Research
      • Events
        Back to menu
        Events
        • Consensus 2025
        • Consensus 2025 Coverage
      • Sponsored
        Back to menu
        Sponsored
        • Thought Leadership
        • Press Releases
        • CoinW
        • MEXC
        • Phemex
        • Advertise
      • Videos
        Back to menu
        Videos
        • CoinDesk Daily
        • Shorts
        • Editor's Picks
      • Podcasts
        Back to menu
        Podcasts
        • CoinDesk Podcast Network
        • Markets Daily
        • Gen C
        • Unchained with Laura Shin
        • The Mining Pod
      • Newsletters
        Back to menu
        Newsletters
        • The Node
        • Crypto Daybook Americas
        • State of Crypto
        • Crypto Long & Short
        • Crypto for Advisors
      • Webinars & Events
        Back to menu
        Webinars & Events
        • Consensus 2025
        • Policy & Regulation Conference
      Select Language
      English enEspañol esFilipino filFrançais frItaliano itPortuguês pt-brРусский ruУкраїнська uk