Coinbase users hacked after 2FA flaws exposed
Popular cryptocurrency exchange Coinbase, which boasts over 68 million users from over 100 countries worldwide, has admitted that 6,000 of its customers had crypto stolen from their accounts earlier this year. The thefts occurred after hackers exploited flaws in Coinbase’s SMS message multi-factor authentication (MFA) security feature.
While this flaw was specific to Coinbase, such an incident will undoubtedly cause concern for many, given how vital two-factor authentication (2FA) and MFA are in preventing fraud.
Coinbase notified the 6,000 affected customers at the end of September.
Hacking activity conducted between March and May this year
In Coinbase’s communication to the affected customers, the crypto exchange said the hacks and subsequent thefts had occurred between March and May 2021.
Coinbase said that for the thefts to occur, the hackers responsible needed:
The customer’s email addressTheir Coinbase passwordThe telephone number associated with their Coinbase accountTo be able to access the customer’s email account
Coinbase believes this information was likely acquired via targeted phishing campaigns aiming to steal account credentials. Although this has not been confirmed in relation to this incident, such attacks in Coinbase and other popular cryptocurrency exchanges are known to have become increasingly frequent in recent years.
In addition to phishing scams, it is also known that banking trojans commonly used to steal online bank accounts can also steal Coinbase and other crypto exchange accounts.
What was the MFA flaw?
Typically, hackers cannot access Coinbase (or other online accounts) if MFA is in place. Furthermore, receiving a notification requesting authentication also acts as a red flag that an account's details have been compromised. Thus, users can change their passwords and remove the threat.
Following this incident, Coinbase has said hackers could exploit a flaw in its SMS account recovery process and acquire an SMS 2FA token to access users' accounts.
Coinbase said it fixed its "SMS Account Recovery protocols" as soon as it learned of the hack, preventing further exploitation.
Further personal details potentially stolen
As hackers had full access to Coinbase accounts, the user accounts that saw thefts potentially had a raft of other personal information stolen, too, including:
Full nameHome addressDate of birthIP addresses linked to Coinbase account activityAccount holdings and balances
Given the data potentially stolen, the affected Coinbase users will need to remain vigilant around potential fraud attempts on their other online accounts. At an absolute minimum, users would be wise to ensure they change any passwords the same as they used for Coinbase.
While this hack involved exploiting 2FA and MFA flaws, these methods are still one of the most robust means of protecting online accounts from fraud. Even if you're not one of the Coinbase users affected by this incident, it's worth ensuring you have 2FA or MFA set up for the accounts you do use. Hardware security keys or authentication apps tend to be more secure and less vulnerable to flaws than SMS or email 2FA, so it's better to use these methods where possible. Coinbase is also encouraging all its users to use alternatives to SMS or email. In August, Coinbase accidentally told 125,000 users their 2FA settings had been changed, causing panic among those receiving the notification.
What next for affected customers?
Coinbase has already deposited funds equal to the amounts stolen to those affected by the theft.
In addition to ensuring they’re using 2FA or MFA and changing their passwords, both those affected by this incident and all Coinbase users should ensure they know the signs of a phishing email and remain vigilant when clicking emails and submitting details online.
Have you been affected by a data breach? Contact LawPlus today
If you’ve been affected by this Coinbase incident or have experienced fraud owing to any other data breach, you may be entitled to compensation.
Contact LawPlus today for a FREE, no-obligation assessment of your data breach claim.
Massive Twitch data breach and leak confirmed
Amazon-owned game-streaming platform Twitch has confirmed it has experienced a significant data breach after a hacker was able to access its servers. Over 125GB of data was posted on the 4chan message board on Wednesday, and there are fears more data will be leaked in the coming days.
Confirming the breach, Twitch posted on Twitter: “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.”
How did the leak occur?
A statement on the Twitch blog said: “We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. Our teams are working with urgency to investigate the incident.”
What data has been leaked?
Twitch assured users in its statement that it doesn't store complete credit card details, so hackers have been unable to acquire such data. It is unknown at present whether user data, including passwords and email addresses, have been stolen. However, the 125GB data leak was labelled “Part One,” raising concerns over what may be included in subsequent releases.
Data included in this leak included:
Three years' worth of details relating to Twitch creator payouts. Several Twitch creators confirmed to the BBC that the earnings figures leaked were accurate.The entirety of twitch.tv.Source code for Twitch’s mobile, desktop, and videogame console apps.Code related to software development kits and internal Amazon Web Services features utilised by Twitch.An unreleased Steam competitor being developed by Amazon Game Studios.Data relating to other Twitch properties, including IGDB and CurseForge.Internal security tools used by Twitch.
Given what has been stolen, this is potentially the most significant data breach in history, with most, if not all, of Twitch’s internal data and code stolen at once.
Embarrassment for Twitch, but could the long-term damage be worse?
Twitch is famous for guarding creator details and earnings. Many creators choose to stream via Twitch because they can (or could!) rely on the platform to protect their data and earnings information.
Not only will this data breach and leak prove hugely embarrassing for Twitch, but it could be a damaging incident in a business sense, too. Platforms like YouTube Gaming are currently offering significant salaries to gamers to exclusively stream on their platforms. As such, this incident may herald the start of an exodus away from Twitch, which is already dealing with a considerable increase in abuse and harassment of creators in recent months, alongside accusations it isn't doing enough to prevent such incidents.
What does this mean for Twitch users?
While those involved in this incident seem to be focused on damaging Twitch rather than stealing user data, it remains to be seen what information will be found in any further leaks.
Although there is currently no indication that users are at risk, it is still worth taking steps to secure how you access the platform if you have a Twitch account.
If you haven’t already done so, you should consider:
Changing your Twitch password.Subscribing to a password generator or keeper, ensuring you have strong passwords that are difficult to guess and to access.Enabling two-factor authentication (2FA) on your account. Given the recent Coinbase hacking incident, which exploited weaknesses in the crypto exchange’s 2FA process, aim to use an authentication app rather than SMS or email authentication.
If your personal details do end up being exposed, you could be entitled to compensation
While Twitch publicly disclosed the data breach on 6th October, the Information Commissioner’s Office (ICO) hadn't been notified of a breach by Twitch or Amazon as of the following day.
It remains to be seen whether user data has been stolen and will be leaked following this incident. If this does occur and your data is exposed, you could be entitled to compensation.
LawPlus will await the outcome of any ICO investigation before pursuing claims on behalf of compromised users; however, you can still contact us in the meantime so we can collect your details and information about how this Twitch incident has affected you.
Contact us here to share your experience of this significant Twitch data breach.
Billions of Facebook and Clubhouse users and their contacts exposed online
It has recently been revealed that up to 3.8 BILLION phone numbers have been stolen from Facebook and Clubhouse users. However, the data also includes phone numbers synced to these accounts from the phones of the people directly affected. As such, your phone number could be involved in this breach even if you don't have a Facebook or Clubhouse account.
Most concerning is that the phone numbers have been reportedly merged into a database with information from affected users Facebook profiles. As such, criminals could potentially have access to a raft of personal information about nearly half the world’s population.
Not the first data breach this year for either Facebook or Clubhouse
Unfortunately for Facebook, this isn’t the first time they’ve fallen victim to a data breach in 2021, let alone in the last few years. Earlier this year, 533 million accounts were compromised. Facebook has been targeted so often that every user has probably had their data involved in a Facebook data breach in the past decade.
While Clubhouse has only been around since March 2020, this isn't the first time the app has been involved in a data breach. In April 2021, 1.3 million Clubhouse users' details were leaked online. This latest data breach comes just months after Clubhouse stopped being an exclusive, invitation-only app and became open to anyone in July 2021.
How did this data breach come about?
While it’s not known how this data breach occurred, it first came to light on 4th September.
A hacker who claimed to have stolen the data posted on a dark web forum that he had a database of 3.8 billion phone numbers that they were looking to sell for $100,000.
What does the Facebook and Clubhouse data breach mean for consumers?
If this breach was solely related to phone numbers, you likely wouldn’t have too much to worry about.
The greater danger comes because of the link to our profile data and contact books.
For example, if your email address is part of your Facebook profile, criminals could send you personalised phishing scams posing as your friends, asking you to transfer money or disclose details like your credit card number.
As of 28th September 2021, the database doesn’t appear to have been sold.
How to protect yourself following the Facebook and Clubhouse data breach
It's worth noting that this could actually be a hoax by a "hacker" looking to rip off cybercriminals. As of 28th September 2021, neither Facebook nor Clubhouse had disclosed a data breach had occurred.
That said, you can never be too careful when it comes to protecting yourself online.
Aim to be extra vigilant if you're using Facebook and Clubhouse in the coming weeks. Don’t directly engage with or accept requests from accounts you don’t recognise, and set up two-factor authentication if you haven’t already done so.
You can learn more about keeping yourself safe online here.
If your data has been compromised, you could be entitled to compensation
If your data has been involved in a data breach, you could be entitled to compensation, particularly if you have been a victim of fraud or lost money as a result.
If this has happened to you, contact LawPlus today and tell us about your experience for a FREE, no-obligation assessment of your potential data breach claim.