Tl;dr: Yesterday a new class of attacks against modern CPU microarchitectures was disclosed to the public at large. Coinbase has taken and will continue to take measures to keep your funds and your data safe. All customer funds remain unaffected. Please make sure you update your operating systems with the latest security patches and follow browser recommendations (chrome, firefox, IE/Edge) to mitigate the impact of these bugs on your systems.
So what is Coinbase doing to protect your funds and personal data and what can you do to protect yourself?
Coinbase maintains an aggressive vulnerability management program. As rumors of this vulnerability emerged several days ago, we began preparing for a few different potential vulnerability types. Coinbase runs in Amazon Web Services (AWS) and our general security posture is one of extreme caution. Sensitive workloads, especially where key handling is involved, run on Dedicated Instances (instead of shared hardware). Where we do run on shared hardware, we make it more difficult to accurately target one of our systems by rapidly cycling through instances in AWS. Once the disclosure embargo lifted and details became available, we evaluated the impact to Coinbase and we worked closely with AWS to ensure that all of the hosts running our workloads were patched and, as we continue to cycle those workloads, we don’t migrate to unpatched hosts. This effectively mitigates the risk of a cross-VM attack on our systems. We are also patching all of our base operating systems to further mitigate the risk of this vulnerability being used to escalate privilege by an attacker who can gain access through other means.
However, there are a few actions you should take right now to limit your exposure:
- Update your operating systems with the latest patches. OS X 10.13.2 seems to contain a fix (although we don’t have official confirmation from Apple). Windows has released an update. The various linux distributions are working through the update process and have released advisories (https://www.bleepingcomputer.com/news/security/list-of-meltdown-and-spectre-vulnerability-advisories-patches-and-updates/ has a good list)
- Update your browsers. Browsers are continually releasing new features and protections. As a best practice, you should enable automatic updates on your browser. Firefox 57 has mitigations in place. Chrome 64 will have mitigations (release targeted on 23 January), but you can enable Site Isolation (Chrome 63 and later) in the meantime for an effective mitigation. IE/Edge mitigations are available in KB4056890.
- Use Vaults. Funds to which you do not need immediate access should be placed in a vault. The vault will enforce multi-party approval and a time locked withdrawal process that is resistant to an attacker even if they have full account access.
If at any point you believe your account is at risk you should:
- Protect yourself by locking your account. Click the account lock link we send at the bottom of every password reset, new device confirmation or transaction confirmation message or call phone support at 1 (888) 908–7930 (M-F, 6AM-6PM Pacific time) and press 1.
- Let us know by filing a ticket, emailing [email protected] or calling 1 (888) 908–7930 (M-F, 6AM-6PM Pacific time), option 1