Coinbase Foils Extortion Attempt, Reinforces Bug Bounty Program

Coinbase (COIN), the largest cryptocurrency exchange in the U.S. by trading volume and the first crypto exchange to go public on a U.S. stock market, is raising awareness of its bug bounty program after a recent extortion attempt.

A malicious actor emailed both Coinbase and CoinDesk earlier this month, claiming to have “dehashed” and “decrypted” sensitive data from 306 million Coinbase user accounts (Coinbase says it’s not mathematically possible to “dehash” or “decrypt” data). The individual threatened to go public if Coinbase didn’t shell out $450,000.

Coinbase’s security team contacted the extortionist and later confirmed claims of a breach were unfounded. (Coinbase confirmed it typically collaborates with law enforcement in such cases but didn't elaborate on whether charges might be filed.)

“This is an absolutely baseless extortion attempt. The individual is falsifying information to come across as legitimate, and they're just trying to extort money out of companies. I'm sure we're not the first company on their list or the only scam they have running,” Jeff Lunglhofer, chief information security officer at Coinbase, told CoinDesk in an interview.

Indeed, last month, Uber’s former chief security officer, Joe Sullivan, was convicted of two felonies for allegedly covering up a $100,000 extortion payment to hackers after a 2016 breach of the ride-sharing firm’s database.

Read more: Crypto Extortion on the Rise, Says Academic Study

Both the Uber scandal and the recent email incident prompted Lunglhofer to reiterate the importance of a robust bug bounty program in a new Coinbase blog post. A bug bounty is a reward that companies pay to individuals or outside security teams who discover and alert them to vulnerabilities in their systems.

“In the wake of the recent Uber verdict, there is a lot of concern in the industry about bug bounty submissions becoming extortion attempts,” Lunglhofer wrote. “We thought we would share some of the best practices for responsible disclosure, illustrated by a recent (fraudulent) extortion attempt we received.”

If an individual discovers a vulnerability on any of Coinbase’s platforms, Lunglhofer emphasizes providing a detailed and accurate description of the alleged bug.

“We can’t evaluate a submission that lacks sufficient detail,” he states.

The details Lunglhofer typically looks for are things like access paths to sensitive information or to actual crypto assets, as well as an indication of potential damage from the vulnerability.

Once an individual collects all pertinent details, the second step is ensuring Coinbase has sufficient time to patch the bug before disclosing its existence to anyone else.

“A responsible security researcher will always provide a reasonable amount of time for us to respond to and fix a security issue before disclosing the details to any other party,” Lunglhofer says.

Read more: In Praise of White-Hat Hackers, but Overreliance Is Foolish

Finally, Lunglhofer stresses the importance of remaining lawful. Attempting to extort or blackmail a company for $450,000 is blatantly criminal.

“A bug bounty submission can never contain threats or any attempts at extortion. We are always open to paying bounties for legitimate findings,” Lunglhofer says. “Ransom demands are an entirely different matter.”

Coinbase’s bug bounty program marked its 10-year anniversary last month. The program has found and fixed more than 600 bugs and paid out more than $400,000 in bounties this year alone. The largest bounty from the program, a cool $250,000, was paid this past February to an independent researcher who discovered a vulnerability in Coinbase’s trading interface.