Coinbase Foils Extortion Attempt, Reinforces Bug Bounty Program
A self-proclaimed “hacker” demanded $450,000 after falsely claiming to be in possession of sensitive data belonging to Coinbase customers.
The largest cryptocurrency exchange in the U.S., Coinbase (COIN), is the first crypto exchange to go public on a U.S. stock market and is raising awareness of its bug bounty program after a recent extortion attempt.
Almost one month ago, a suspicious individual sent emails to both Coinbase and CoinDesk. The email claimed to have “dehashed” and “decrypted” sensitive data relating to 306 million Coinbase user accounts (Coinbase says mathematical impossibility prevents data being “dehashed” or “decrypted”). The individual threatened to make the information public if they didn’t receive $450,000 from Coinbase.
Coinbase initially communicated with the extortionist and later confirmed reports of a security breach as unfounded. The company did not elaborate on whether charges might be filed in such cases.
“The individual has falsified information in order to seem legitimate, they’re just trying to extort money out of businesses. We’re not the first company on their list,” Jeff Lunglhofer, Coinbase’s chief information security officer told CoinDesk in an interview.
Last month, Uber’s former Chief Security Officer, Joe Sullivan, was sentenced to two felonies for allegedly covering up a $100,000 extortion payment to hackers after a 2016 breach of the ride-sharing firm’s database.
Say no to crypto extortion by reading more here.
Both the Uber scandal and the recent email incident prompted Lunglhofer to reiterate the importance of a robust bug bounty program in a new Coinbase blog post. A bug bounty is an award that companies pay to individuals or outside security teams who find and report vulnerabilities in their systems.
“We wanted to share some best practices for responsible disclosure and how we responded to a recent extortion attempt,” Lunglhofer wrote in the post.
When you come across a bug, what do you tend to do?
When you find a vulnerability on any of Coinbase’s platforms, Lunglhofer urges you to provide a detailed description of the alleged bug.
“We can’t evaluate any submission that provides little detail,” he says.
Lunglhofer typically looks for two things. One is a clear route to sensitive information or crypto assets, and the other is signs of a potential breach.
The second step after discovering a bug is to make sure Coinbase has enough time to fix it before telling other people.
“A responsible security researcher will always provide a reasonable amount of time for us to respond to and fix a security issue before disclosing the details to any other party,” says Jan Lunglhofer, one of the Wikimedia Foundation board members.
You might be surprised to hear that hackers who operate ethically are considered white-hat. There is a huge demand for this type of service because it can be costly and time-consuming to do all the research.
Lunglhofer stresses the importance of remaining lawful. Extortion and blackmail are not only criminal but also ridiculous.
“A bug bounty submission can never contain threats or any attempts at extortion,” Lunglhofer says. “We are always open to paying bounties for legitimate findings.” Ransom demands, on the other hand, are entirely different matter.
Last month, Coinbase’s 10-year anniversary of its bug bounty program. The program has found and fixed more than 600 bugs, and paid out more than $400,000 in bounties this year alone. The largest bounty from the program was a cool $250,000 – it was paid to an independent researcher who discovered a vulnerability in Coinbase’s trading interface.