So what is Coinbase doing to protect your funds and personal data and what can you do to protect yourself?
Coinbase maintains an aggressive vulnerability management program. As rumors of this vulnerability emerged several days ago, we began preparing for a few different potential vulnerability types. Coinbase runs in Amazon Web Services (AWS) and our general security posture is one of extreme caution. Sensitive workloads, especially where key handling is involved, run on (instead of shared hardware). Where we do run on shared hardware, we make it more difficult to accurately target one of our systems by rapidly cycling through instances in AWS. Once the disclosure embargo lifted and details became available, we evaluated the impact to Coinbase and we worked closely to ensure that all of the hosts running our workloads were patched and, as we continue to cycle those workloads, we don’t migrate to unpatched hosts. This effectively mitigates the risk of a cross-VM attack on our systems. We are also patching all of our base operating systems to further mitigate the risk of this vulnerability being used to escalate privilege by an attacker who can gain access through other means.
However, there are a few actions you should take right now to limit your exposure:
Update your operating systems with the latest patches. OS X 10.13.2 seems to contain a fix (although we don’t have official confirmation from Apple). Windows has . The various linux distributions are working through the update process and have released advisories ( has a good list)
Update your browsers. Browsers are continually releasing new features and protections. As a best practice, you should enable automatic updates on your browser. Firefox 57 has mitigations in place. Chrome 64 will have mitigations (release targeted on 23 January), but you can enable (Chrome 63 and later) in the meantime for an effective mitigation. IE/Edge mitigations are available in .
Use . Funds to which you do not need immediate access should be placed in a vault. The vault will enforce multi-party approval and a time locked withdrawal process that is resistant to an attacker even if they have full account access.
If at any point you believe your account is at risk you should:
Protect yourself by locking your account. Click the account lock link we send at the bottom of every password reset, new device confirmation or transaction confirmation message or call phone support at 1 (888) 908–7930 (M-F, 6AM-6PM Pacific time) and press 1.
About Philip Martin
Philip Martin is the Chief Security Officer for Coinbase, where he is responsible for developing the technology, processes and team that safely store one of the world’s largest holdings of cryptocurrency. Prior to Coinbase, Philip built and led the Incident Response and Security Engineering teams at Palantir Technologies, developed new virtual infrastructure at Amazon A9 and spent a decade as a US Army counterintelligence agent in a range of foreign and domestic roles.
Jan 25, 2023
Jan 24, 2023,
3 min read time
Jan 20, 2023,
15 mins read time