Posted on October 4, 2021 at 1:52 PM

Coinbase Reveals that Hackers Stole from around 6000 Customer Accounts

Coinbase has revealed that threat actors stole cryptocurrencies from around 6000 customer accounts. While the details were only disclosed last week, the hacking attack is reported to have happened between March and May this year.

In its notice, Coinbase stated that the hackers exploited a vulnerability in the multi-factor authentication system needed to access accounts on the cryptocurrency exchange platform.

The notice sent out to the customers whose accounts were affected read that, “At least 6000 Coinbase customers had funds removed from their accounts, including you.” Coinbase is the second-largest cryptocurrency exchange platform in trading volumes, with over 68 million users from over 100 countries.

Hackers Exploited MFA Bug

Coinbase stated that the threat actors used details such as the email address, passwords and phone numbers, which allowed them access to the user’s email account. However, the exchange stated that it is still unclear how these hackers gained access to these details.

However, some of the tactics that the hackers might have employed include phishing campaigns and banking trojans that are used to steal from exchange accounts and bank accounts. Nevertheless, even with the password and email account of the user, unauthorized access to a Coinbase account is still prevented by a multi-factor authentication process.

Coinbase stated that the hacker could bypass this process by exploiting a vulnerability on the SMS account recovery process.

“However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery Process in order to receive an SMS two-factor authentication token and gain access to your account,” Coinbase stated.

In its statement, Coinbase stated that after discovering the attack, the exchange patched the SMS Account Recovery Protocols to ensure there was no additional vulnerability in the SMS multi-factor authentication that hackers could exploit.

Nevertheless, the effects of this hack go beyond the stolen assets from user accounts, given that the threat actor had access to customer details linked to Coinbase accounts. These details include the full official names, email addresses, home addresses, date of birth, IP addresses, account activity, account holdings and balances available in their accounts.

In a follow-up clarification, the exchange stated that the hack on customer accounts did not compromise the security infrastructure of Coinbase. “We have not found any evidence that these third parties obtained this information from Coinbase itself,” the statement read.

How Coinbase is responding to attack

Coinbase is yet to provide a detailed analysis of how the impersonation of user accounts happened. However, the exchange has given the probability that the hackers could be using a SIM-swapping attack to trick the cellphone service provider that they are transferring the one-time code into the victim’s phone number.

This attack was done on accounts that users perceived to be secure; hence Coinbase has stated that it will reimburse funds into these accounts, equal to the funds stolen from these accounts.

“We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed – we will ensure all customers affected receive the full value of what you lost. You should see this reflected in your account no later than today,” Coinbase stated.

On the other hand, how the exchanges fixed the bug has remained unclear. However, the exchange is now urging users to stop using SMS-based multi-factor authentication and instead go for more advanced methods that offer better security. Some of the better alternatives for these users include mobile app verification or a security key on hardware devices.

The most important thing for Coinbase customers to do is to be on the lookout for ant phishing attempts sent either through email or SMS platforms. Phishing attacks are targeted to steal user account information, which threat actors later use to gain unauthorized access to different platforms. Phishing attempts are more prevalent in banking and exchange platforms where fiat or digital assets are concerned.

Coinbase customers need to install stronger multi-factor authentication processes because it is not the first time for a bug to be detected on the exchange’s multi-factor authentication systems.

In August this year, another bug caused panic to Coinbase users after Coinbase sent out an accidental alert stating that the two-factor authentication settings for 125,000 customers had been altered. This caused panic among users, and the exchange is yet to respond to cybersecurity companies such as Bleeping Computer about what happened at the time. Coinbase stated that the alert was a false one and accidentally sent to users.