Coinbase, the cryptocurrency platform used to buy Bitcoin, Ethereum, and other coins, suffered a hack that affected 6,000 users, leaking their accounts completely.
As reported by our sister site Techradar, Coinbase sent a letter to its users, telling them that all their funds had been compromised using the company's two-factor authentication (2FA) and phishing to access their passwords. The attack took place between March and May of 2021.
The reason this attack was not as widespread is that hackers needed very specific information before targeting anyone. That is, they needed to know the user's e-mail address, password, phone number, and access to their personal e-mail account.
Coinbase has not been able to determine how these hackers gained access to this information, but suspects that phishing attacks or other social engineering techniques may be the culprit.
According to Coinbase, "We have found no evidence that these third parties obtained this information from Coinbase itself.
"However, in this case, the third parties took advantage of a flaw in Coinbase's SMS account recovery process to receive SMS two-factor authentication tokens and access accounts for customers using SMS text for two-factor authentication."
Coinbase claims that as soon as it learned of the issue, it updated its SMS account recovery protocol to prevent further abuse. The company is also concerned that hackers were able to view important personal information such as home addresses, birth dates, and IP addresses. Fortunately, Coinbase refunded the user and returned the crypto to the user's account.
"We will be crediting accounts with funds equal to the value of the currency that was improperly removed from the account at the time of the incident. Some customers have already received refunds, but we will ensure that all affected customers receive the full amount of the lost value."
Of course, Coinbase is already working with authorities to find the culprits; Coinbase also plans to offer free credit monitoring to affected customers.
The company is also encouraging customers to forgo SMS verification and instead use time-based one-time passwords (TOTP) such as Google Authenticator or hardware security keys. Of course, passwords for Coinbase accounts and email accounts must also be changed.
Comments