With the rise in data breaches and proliferation of sophisticated new phishing websites over the past few years, the odds are almost certain that at least one of your passwords is floating around on the internet, waiting to be misused by a fraudster or criminal. Oftentimes, attackers will take breached or phished login credentials and test them against multiple different websites, a process known as “credential stuffing”, in an attempt to gain access to sensitive online accounts.
At , we’ve implemented multiple layers of protection against credential stuffing attacks. Most of these lines of defense remain invisible to you as the customer. Starting today, however, our Security team will notify you if we find your email address and password in a data breach or credential dump from another website, and will proactively lock your account if that email/password combination is currently valid for your account.This gives you the opportunity to change your credentials before they can be used against you.
How does Coinbase do this securely?
Good question! When you create a account, we use an algorithm called to irreversibly turn your plaintext password into a string of gibberish known as a “hash’ that is unique to your account. Because bcrypt is a “one-way” hash, nobody (including ) can decrypt it to figure out the underlying password. Instead, every time you log in, we run your password again to see if the same plaintext turns into the same hash. If it does, we allow you to log in.
The same logic applies when we’re testing credentials that we find online. When we find a compromised email address and password, we check to see if that email address belongs to an existing customer. If it does, we hash the exposed password using bcrypt and see if it matches the hash we previously stored for the associated email address. If it does, we’ll lock your account and notify you so you have a chance to reset your password. If it doesn’t match, we simply discard it.
Still have questions or concerns?
Feel free to reach out to us! You can contact our team directly at security@coinbase.com. We’re always happy to chat about our efforts to keep , as well as the wider ecosystem, as safe as possible.
Matt Muller is part of the User Trust team, which leads ’s anti-abuse and customer protection initiatives.
Published at Tue, 09 Apr 2019 21:18:41 +0000
