Coinbase Security: Now protecting your Coinbase account in more places

With the rise in data breaches and proliferation of sophisticated new phishing websites over the past few years, the odds are almost certain that at least one of your passwords is floating around on the internet, waiting to be misused by a fraudster or criminal. Oftentimes, attackers will take breached or phished login credentials and test them against multiple different websites, a process known as “credential stuffing”, in an attempt to gain access to sensitive online accounts.

At Coinbase, we’ve implemented multiple layers of protection against credential stuffing attacks. Most of these lines of defense remain invisible to you as the customer. Starting today, however, our Security team will notify you if we find your email address and password in a data breach or credential dump from another website, and will proactively lock your account if that email/password combination is currently valid for your Coinbase account.This gives you the opportunity to change your credentials before they can be used against you.

How does Coinbase do this securely?

Good question! When you create a Coinbase account, we use an algorithm called bcrypt to irreversibly turn your plaintext password into a string of gibberish known as a “hash’ that is unique to your account. Because bcrypt is a “one-way” hash, nobody (including Coinbase) can decrypt it to figure out the underlying password. Instead, every time you log in, we run your password again to see if the same plaintext turns into the same hash. If it does, we allow you to log in.

The same logic applies when we’re testing credentials that we find online. When we find a compromised email address and password, we check to see if that email address belongs to an existing Coinbase customer. If it does, we hash the exposed password using bcrypt and see if it matches the hash we previously stored for the associated email address. If it does, we’ll lock your account and notify you so you have a chance to reset your password. If it doesn’t match, we simply discard it.

Still have questions or concerns?

Feel free to reach out to us! You can contact our team directly at security@coinbase.com. We’re always happy to chat about our efforts to keep Coinbase customers, as well as the wider cryptocurrency ecosystem, as safe as possible.

Matt Muller is part of the Coinbase User Trust team, which leads Coinbase’s anti-abuse and customer protection initiatives.