Coinbase has disclosed that hackers successfully stole cryptocurrency from at least 6,000 customers this spring, partly by exploiting a flaw in the cryptocurrency exchange’s two-factor authentication system.
Coinbase revealed the hacking spree in a data breach notice sent out to affected customers this week. “At least 6,000 Coinbase customers had funds removed from their accounts, including you,” the notice says. BleepingComputer was first to report the news.
The account breaches occurred between March 2021 and May 20, 2021. Coinbase suspects hackers used a large-scale email phishing campaign to trick numerous customers into giving up the email addresses, passwords, and phone numbers associated with their accounts. In addition, the unknown culprits also gained access to victims’ email inboxes by using a malicious app capable of reading and writing to the inbox if the user grants permission.
Still, a password isn’t enough to break into a Coinbase account. By default, the company secures an account with two-factor authentication, meaning you need both a password and a one-time passcode generated on your phone to access the account.
However, in some cases, the hackers were able to steal the one-time passcode. This occurred for users who secured their account with the two-factor authentication system that relies on sending the code via SMS messages.
“Once the attackers had compromised the user’s email inbox and their Coinbase credentials, in a small number of cases they were able to use that information to impersonate the user, receive an SMS two-factor authentication code, and gain access to the Coinbase customer account,” a spokesperson for the cryptocurrency exchange told PCMag in a statement. The hackers then looted the cryptocurrency funds.
Coinbase didn’t elaborate on how the impersonation occurred. But the statement suggests the attackers used a SIM-swapping attack to trick the cell phone carrier into transferring over the victim’s mobile phone number.
In response, Coinbase says it’s been compensating victims for the stolen cryptocurrency, following reports the company did little to help consumers hit in the hacks. “We immediately fixed the flaw and have worked with these customers to regain control of their accounts and reimburse them for the funds they lost,” a company spokesperson added.
How the flaw was fixed is also unclear. However, Coinbase is encouraging customers to drop the SMS-based two-factor authentication system for stronger methods. This includes generating the one-time passcode on a mobile app or using a hardware-based security key.
In a blog post published earlier this week, the cryptocurrency exchange also stressed that the hackers never breached Coinbase’s security infrastructure or broader systems. “We have not found any evidence that these third parties obtained this information from Coinbase itself.”