The Coinbase Security team takes numerous safety precautions to secure your account. This includes checking the dark web for signs that a third party may have compromised your Coinbase account sign-in credentials.
To ensure the safety of your account, Coinbase will notify you to change your password if we find that your password may have been exposed through data breaches from other websites. This gives you the opportunity to change your password before your information can be used against you.
How did my password get exposed?
While we can't always tell exactly how an attacker got your password, it's typically due to one of the following reasons:
Reusing the same password across multiple websites.
Entering your credentials into a phishing website.
Inadvertently installing keystroke-logging malware on your computer.
How do I secure my account?
We strongly recommend that you immediately:
Run a malware scan on your computer using a reputable tool like Malwarebytes, which provides this service for free.
Change your Coinbase password: https://www.coinbase.com/password_resets/new
Change your password on other websites, especially if you use the same password in multiple places. We also recommend using a trusted password manager like 1Password, or Dashlane to easily generate and securely store unique passwords for all of your online accounts.
Use a strong 2-step verification method like a hardware security key or a Google Authenticator (TOTP). Go to your security settings to upgrade the 2-step method on your Coinbase account.
Learn more about how to make your account more secure.
How is my password protected on Coinbase?
When you create a Coinbase account, we use an algorithm called bcrypt to turn your plaintext password into a hash that’s unique to your account. This means that your password is stored as a random string of information which makes it hard to figure out. Therefore, no one—including Coinbase—can decrypt your stored hash to figure out the underlying password. Instead, when you sign into your account, our system verifies it’s you by the stored hash that returns in our system.
How does Coinbase check if my password was exposed?
When we learn of any new data breaches across the web involving compromised sign-in credentials (email and password), we check to see if any of the exposed email addresses are associated with existing Coinbase customer accounts. If one is, then we use bcrypt to hash the corresponding exposed password and see if it matches the stored hash password associated with the email address. If it does match, then we send the affected customer a notification to change their password.