Crypto Exchange Coinbase has revealed that hackers successfully stole money from at least 6,000 Coinbase users this spring, partly by exploiting a vulnerability in the cryptocurrency exchange's two-factor authentication mechanism.
Coinbase is the world's second-largest bitcoin exchange with over 68 million users from over 100 countries. In a data breach warning delivered to impacted clients this week, Coinbase disclosed the hacking activity. The notice states, “At least 6,000 Coinbase customers had funds removed from their accounts, including you,”
Account breaches happened between March 2021 and May 20, 2021. Coinbase estimates hackers launched a wide-scale email phishing effort to deceive a significant number of customers into providing their email addresses, passwords, and phone numbers.
Furthermore, the unknown attackers got access to victims' email inboxes through the use of malicious software competent of reading and writing to the inbox if the user enables permission.
Although, a password is insufficient to gain access to a Coinbase account.
The business secures an account by default using two-factor authentication, which means users must enter both a password and a one-time passcode issued on the phone to log in.
However, the hackers were capable to obtain the one-time passcode in certain situations. This happened to users who used the two-factor authentication method, which depends on SMS texts to deliver the code.
A spokesperson for the cryptocurrency exchange told PCMag in a statement, “Once the attackers had compromised the user’s email inbox and their Coinbase credentials, in a small number of cases they were able to use that information to impersonate the user, receive an SMS two-factor authentication code, and gain access to the Coinbase customer account.”
Coinbase did not go into detail about how the impersonation occurred. However, according to the statement, the attackers employed a SIM-swapping attack to deceive the cell phone carrier into transferring over the victim's phone number.
In response, Coinbase says it’s been compensating victims for the stolen cryptocurrency, following reports the company did little to help consumers hit in the hack.
A company spokesperson added, “We immediately fixed the flaw and have worked with these customers to regain control of their accounts and reimburse them for the funds they lost.”
It's also unclear how the issue was resolved. Coinbase, on the other hand, is pushing consumers to abandon the SMS-based two-factor verification scheme for more secure alternatives. This includes utilising a smartphone app to generate the one-time passcode or a hardware-based security key.
