Coinbase, a platform used for buying, selling and storing cryptocurrency, notified over 6,000 customers that they were victims of a targeted campaign to gain access to their accounts that involved a combination of phishing attacks and a flaw in Coinbase’s two-factor authorization system.
Between March and May of 2021, hackers managed to get into the accounts and move funds off the platform, draining some accounts dry. Thousands of customers had already begun to complain to Coinbase that funds had vanished from their accounts.
According to the letter sent to users, here’s how Coinbase claims the hackers got into the compromised accounts:
“In order to access your Coinbase account, these third parties first needed prior knowledge of the email address, password, and phone number associated with your Coinbase account, as well as access to your personal email inbox. While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor. We have not found any evidence that these third parties obtained this information from Coinbase itself.”
Once they had a user’s login and password, Coinbase says the hackers “took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access” to the account. Once they were in, the hackers simply transferred the funds to wallets off the Coinbase platform.
Coinbase says that it updated its SMS Account Recovery protocols as soon as it became aware of the problem. The company is encouraging customers to secure their accounts with a TOTP (time-based one-time password) or a hardware security key. And, of course, recommends changing your current password.
Some good news for the victims: Coinbase has already started to reimburse some customers and promises that all customers will receive the full value of what was lost. Victims will receive free credit monitoring. Along with working with law enforcement in its investigation, Coinbase is also launching an internal investigation into what happened.
Coinbase did not disclose how much cryptocurrency was stolen in the attack, but I’m sure it’s nowhere near the amount that was stolen a few months ago from Poly Network in a wild digital heist.