Coinbase Moves to Calm Security Concerns Amid Theft Reports

Coinbase has issued a blog post in response to reports that its users are being targeted by phishing attacks.

AccessTimeIconFeb 7, 2014 at 9:10 p.m. UTC
Updated Sep 11, 2021 at 10:20 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Andreessen Horowitz-backed bitcoin wallet provider Coinbase confirmed via a company blog post on 7th February that "a small handful" of its customers have fallen victim to phishing attacks.

The reports of bitcoin wallet security vulnerabilities, however small, have nonetheless reverberated widely in an industry that is being increasingly cast in a shroud of uncertainty by the mainstream media.

A separate account of the incidents by online news source The Verge paints a very different picture of the situation, suggesting that the thefts, while in some cases the fault of Coinbase's users, were sizable and perhaps more frequent than has been reported.

The Verge confirmed what it called "a string of Bitcoin thefts that have hit the service in recent weeks".

In its piece, it profiled the story of a Coinbase user named Jeff, who lost 10.6 BTC in bitcoins due to theft this December. What's most unique about Jeff's story, however, is that one month later, his refunded money was stolen from the service yet again.

The media outlet revealed that it has confirmed two separate thefts occurred to users on the service in addition to Jeff's multiple thefts, for amounts of $16,000 and $5,000, respectively.

The sum total of the thefts, as noted by the piece, is roughly $40,000.

The extent of the attacks

The security firm FireEye told the Verge that it believes it is unlikely that Coinbase suffered a system-wide vulnerability, and that instead, each individual victim was compromised in isolation.

However, it suggested that Coinbase's "unusually powerful" API may have been a factor:

"The right API key will let any program move bitcoins in and out of a given accounts. Once the key is compromised, attackers can even access linked bank accounts to purchase more bitcoins. Users are advised not to authorize the API key if they don't need it, but if an account has been compromised, hackers may decide to authorize it themselves."

FireEye did suggest that the company itself does not seem responsible for the attacks, which were not aimed at its infrastructure. Further, it suggested that Coinbase's user agreement clearly states that individuals are responsible for the safety of their private keys.

By using the wallet provider's two-factor authentication, the report suggested, Jeff could have prevented the loss of his API key, which once his account was compromised may have been reactivated by the hackers.

Coinbase reacts

The San Francisco-based company downplayed the thefts, stating that "phishing is unfortunately common across the Internet", and noting that it affects banking institutions, payment processors and retailers in the traditional financial system as well.

Further, the company indicated that, because of the concern over phishing attacks, it has implemented enhanced security measures, that when used with best practices for web surfing, can help limit these occurrences:

"We’ve implemented a number of increased security measures, including expanded two-factor authentication measures designed to help lessen the likelihood of successful phishing incidents in the future. We’ve also added an email verification step for key actions, such as when an API key is enabled."

Coinbase representatives declined further requests for comment, stating that the blog post represented their official position on the attacks.

Image credit: Digital key via Shutterstock

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.