CloudBleed and Coinbase

Last night, Coinbase became aware of a security bug with CloudFlare, a service Coinbase uses for Denial of Service protection. This bug, now commonly known as CloudBleed, led to the leak of data from services that use CloudFlare in very specific and relatively rare circumstances. We strongly believe that the foundation of trust is transparency, so we want to share a more in-depth analysis of how this event impacts Coinbase and our customers.

Thus far, CloudFlare has identified about 150 CloudFlare customers, including Coinbase, affected by the bug. To date, CloudFlare and Coinbase have identified only one single instance of a leaked Coinbase session cookie, which we immediately invalidated. At this time, we are aware of no further impact. The Coinbase security team will continue to work closely with CloudFlare to determine what, if any, other data may have been exposed by this event. We have no reason to believe that any Coinbase customer’s personal data or account has been compromised. Coinbase’s overall security architecture is designed to minimize the presence of any long term authentication credentials (for risks just like this). A few long term credentials remain, so, in an abundance of caution, we recommend that customers:

• Rotate any static API keys, and use the IP Address restriction feature
• Logout and login to any Coinbase mobile applications that you have installed to refresh your authentication token

We will continue to monitor the situation and provide further updates if we become aware of additional information.