Just a few days ago, hackers stole cryptocurrency from over 6,000 Coinbase customers. Confirmed via a breach notification letter sent by Coinbase. A copy of the letter was posted here on the Attorney General of California’s website.
The breach occurred between March and May 20th, 2021. During that time, malicious parties exploited a multi-factor authentication flaw. Allowing them to gain access to user accounts and transfer funds to crypto wallets outside of Coinbase’s network.
The multi-factor authentication flaw was exploited in the SMS account recovery process. Typically, if someone malicious were to have a Coinbase user’s credentials (email and password), they would normally be blocked from accessing their account if multi-factor authentication was enabled.
When setting up an account, Coinbase recommends that its customers secure their accounts by enabling multi-factor authentication using security keys, authenticator applications with time-based one time passwords, or finally SMS text as a very last resort.
Enabling these additional layers of security dramatically decreases the chance for accounts to be compromised. In this rare case, a vulnerability existed in their SMS account recovery process and was exploited by hackers.
In a notification sent to their users, Coinbase stated “Even with the information described above, additional authentication is required in order to access your Coinbase account…”
“However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account.
In addition to Coinbase customers losing cryptocurrency from their accounts, the bad actors also had full account access. Exposing personal information such as name, email, physical address, date of birth, IP addresses, transaction history, holdings and balances.
As soon as Coinbase learned about the breach, they quickly patched the security flaw in their “SMS Account Recovery protocols” to stop any further risk to its customers.
Coinbase is remedying their account holders by reimbursing funds in the affected accounts equal to the stolen amount.
“We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed — we will ensure all customers affected receive the full value of what you lost. You should see this reflected in your account no later than today,” promised Coinbase.
In addition to reimbursement of the missing funds, Coinbase is providing free credit monitoring to its consumers. It is also recommended that affected Coinbase victims secure their accounts by changing their password immediately on Coinbase and associated accounts (email) and move to a more secure method of multi-factor authentication (not SMS-based).
Victims should also be cautious of targeted phishing SMS or emails in an attempt to steal credentials. Below is a screenshot of a a phishing SMS a Coinbase user received via PC Gamer.
At this point Coinbase has not disclosed how much cryptocurrency was stolen.