Popular cryptocurrency exchange Coinbase, which boasts over 68 million users from over 100 countries worldwide, has admitted that 6,000 of its customers had crypto stolen from their accounts earlier this year. The thefts occurred after hackers exploited flaws in Coinbase’s SMS message multi-factor authentication (MFA) security feature.
While this flaw was specific to Coinbase, such an incident will undoubtedly cause concern for many, given how vital two-factor authentication (2FA) and MFA are in preventing fraud.
Coinbase notified the 6,000 affected customers at the end of September.
Hacking activity conducted between March and May this year
In Coinbase’s communication to the affected customers, the crypto exchange said the hacks and subsequent thefts had occurred between March and May 2021.
Coinbase said that for the thefts to occur, the hackers responsible needed:
- The customer’s email address
- Their Coinbase password
- The telephone number associated with their Coinbase account
- To be able to access the customer’s email account
Coinbase believes this information was likely acquired via targeted phishing campaigns aiming to steal account credentials. Although this has not been confirmed in relation to this incident, such attacks in Coinbase and other popular cryptocurrency exchanges are known to have become increasingly frequent in recent years.
In addition to phishing scams, it is also known that banking trojans commonly used to steal online bank accounts can also steal Coinbase and other crypto exchange accounts.
What was the MFA flaw?
Typically, hackers cannot access Coinbase (or other online accounts) if MFA is in place. Furthermore, receiving a notification requesting authentication also acts as a red flag that an account’s details have been compromised. Thus, users can change their passwords and remove the threat.
Following this incident, Coinbase has said hackers could exploit a flaw in its SMS account recovery process and acquire an SMS 2FA token to access users’ accounts.
Coinbase said it fixed its “SMS Account Recovery protocols” as soon as it learned of the hack, preventing further exploitation.
Further personal details potentially stolen
As hackers had full access to Coinbase accounts, the user accounts that saw thefts potentially had a raft of other personal information stolen, too, including:
- Full name
- Home address
- Date of birth
- IP addresses linked to Coinbase account activity
- Account holdings and balances
Given the data potentially stolen, the affected Coinbase users will need to remain vigilant around potential fraud attempts on their other online accounts. At an absolute minimum, users would be wise to ensure they change any passwords the same as they used for Coinbase.
While this hack involved exploiting 2FA and MFA flaws, these methods are still one of the most robust means of protecting online accounts from fraud. Even if you’re not one of the Coinbase users affected by this incident, it’s worth ensuring you have 2FA or MFA set up for the accounts you do use. Hardware security keys or authentication apps tend to be more secure and less vulnerable to flaws than SMS or email 2FA, so it’s better to use these methods where possible. Coinbase is also encouraging all its users to use alternatives to SMS or email. In August, Coinbase accidentally told 125,000 users their 2FA settings had been changed, causing panic among those receiving the notification.
What next for affected customers?
Coinbase has already deposited funds equal to the amounts stolen to those affected by the theft.
In addition to ensuring they’re using 2FA or MFA and changing their passwords, both those affected by this incident and all Coinbase users should ensure they know the signs of a phishing email and remain vigilant when clicking emails and submitting details online.
Have you been affected by a data breach? Contact LawPlus today
If you’ve been affected by this Coinbase incident or have experienced fraud owing to any other data breach, you may be entitled to compensation.
Contact LawPlus today for a FREE, no-obligation assessment of your data breach claim.