Coinbase, one of the largest cryptocurrency exchanges in the world, will protect its customers against so-called “Credential Stuffing” attacks. It is aimed at hackers who try to log in with the log-in data of customers who have previously been leaked to other online platforms.
With credential stuffing, hackers try to log in on a variety of online platforms with a collection of leaked-in login data. People who use the same password on multiple online platforms are therefore particularly vulnerable to this type of attack. Research shows that 81% of respondents reuse one or more passwords.
In a Coinbase blog post that was published on April 9, Matt Muller, Head of Trust Operations at Coinbase, writes that nowadays, at least one of your passwords is floating around somewhere:
With the increase in data breaches and advanced new phishing websites in recent years, the chance is almost certain that at least one of your passwords will be floating around on the internet, waiting to be abused by a fraud or criminal.
Coinbase therefore uses an algorithm that it already uses internally. Normally the algorithm is used to form a hash using a password and the login data. In this way, Coinbase can verify whether the password entered by the user is correct, without having to save the actual password.
By applying the same algorithm to known leaked-in log-in data, and comparing the outcome with the Coinbase database, the exchange can find out if log-in data from its customers has been leaked. However, this technique is not new, companies like Google are already doing this. Coinbase is the first cryptocurrency exchange to protect its customers against such attacks.