US-based crypto exchange giant Coinbase confirmed that between March and May 20th, 2021, a threat actor stole cryptocurrency from at least 6,000 customers after using a vulnerability to bypass the company’s SMS multi-factor authentication security feature, BleepingComputer reported, citing a Coinbase notification to customers.
Coinbase confirmed to Cryptonews.com that the notification is authentic.
In either case, on September 27, the exchange also confirmed that between April and early May 2021, their security team “observed a significant uptick in Coinbase-branded phishing messages targeting users of a range of commonly used email service providers.” Back then, the exchange said that “in a small number of cases they were able to use that information to impersonate the user, receive an SMS two-factor authentication code, and gain access to the Coinbase customer account.” However, no specific numbers were provided.
Meanwhile, per BleepingComputer, to conduct the attack, the attackers needed to know the customer’s email address, password, and phone number associated with their Coinbase account and have access to the victim’s email account.
Also, Coinbase states a vulnerability existed in their SMS account recovery process, allowing the hackers to gain the SMS two-factor authentication token needed to access a secured account, the report said. Customers’ personal information was also exposed, including their full name, email address, home address, date of birth, IP addresses for account activity, transaction history, account holdings, and balances, it added.
Per the notification, Coinbase is depositing funds in affected accounts equal to the stolen amount and some customers have already been reimbursed.
Also, the exchange encouraged their clients to:
- Use even stronger than SMS-based two-factor authentication, such as time-based one-time password (TOTP) or a hardware security key,
- Change the password on your Coinbase account to a new, strong, and unique password that you do not use on any other site,
- Monitor your personal accounts and free credit reports for any suspicious activity,
consistent with best practices for the next 12-24 months.
– How to Prevent Crypto Theft – And Whom to Blame When It Does Happen
– SushiSwap’s MISO Suffers USD 3M Attack, Contract Thefts May Rise
– A Tale of Two Hacks: Poly Hacker Bows Out, Liquid to Restore Operations
– Crypto Sector World’s 3rd Industry in Phishing Attacks Growth