Coinbase has exposed the fact that a tiny fraction of its customers’ passwords were stored in plain text on an internal server log. However, the data was not improperly accessed by outside parties, the exchange said.
“Under a very specific and rare error condition, the registration form on our signup page wouldn’t load correctly, which meant that any attempt to create a new Coinbase account under those conditions would fail,” the post explained. “Unfortunately, it also meant that the individual’s name, email address, and proposed password (and state of residence, if in the US) would be sent to our internal logs.”
Coinbase has explored various areas where data leakage could have occurred, including systems in Amazon Web Services and log analysis services.
“Having carefully studied the journal systems, we did not reveal any facts of unauthorized access,” Coinbase writes. “Although we are confident in correcting the initial cause of the problem and in the absence of unauthorized access, these customers will have to change their passwords as a preventative measure.”
Coinbase’s disclosure comes on the heels of Binance and Huobi suffering from actual data breaches. Unlike Coinbase, Binance and Huobi appear to have lost control of client know-your-customer data, including identity verification documents.