English
Chinese (Simplified)
French
German
Italian
Polish
Russian
Spanish
Turkish
Ukrainian
Source: Coinbase
US-based crypto exchange giant Coinbase confirmed that between March and May 20th, 2021, a threat actor stole cryptocurrency from at least 6,000 customers after exploiting a vulnerability to bypass the company’s SMS multi-factor authentication security feature, BleepingComputer reported, citing a Coinbase notification to customers.
Coinbase confirmed that the notification is authentic. On September 30, the exchange also confirmed that between April and early May 2021, its security team “saw a significant increase in Coinbase brand phishing messages targeting users of a number of commonly used email service providers.” At the time, the exchange said that “in a small number of cases, they were able to use this information to impersonate users, obtain an SMS two-factor authentication code, and gain access to the Coinbase customer account.” However, no specific figures were given.
Meanwhile, for each bleeping computer to carry out the attack, the attackers had to know the customer’s email address, password and phone number associated with their Coinbase account and have access to the victim’s email account.
Also, Coinbase states that there was a vulnerability in their SMS account recovery process that allowed the hackers to obtain the SMS two-factor authentication token required to access a secured account, the report says. Customers’ personal information was also disclosed, including their full name, email address, home address, date of birth, account activity IP addresses, transaction history, account balance and balance, she added.
According to the notification, Coinbase deposits funds in the amount of the stolen amount to affected accounts, and some customers have already been refunded.
In addition, the exchange encouraged its customers to:
- Use even stronger than SMS-based two-factor authentication, e.G. A time-based one-time password (TOTP) or a hardware security key,
- Change the password of your Coinbase account to a new, strong and unique password that you do not use on any other website,
- Monitor your personal accounts and free credit reports for suspicious activity,
In line with best practices for the next 12-24 months.
