Coinbase Multi-Factor Authentication Hack Affects at Least 6,000 Customers

A flaw allowed hackers to get customers’ SMS two-factor authentication code and break into their accounts.

Oct 1, 2021 at 4:33 p.m. UTC
Updated Oct 1, 2021 at 9:22 p.m. UTC

Nate DiCamillo is a business reporter at CoinDesk with a focus on banking and economics.

A vulnerability that allowed hackers to bypass Coinbase’s multi-factor authentication SMS option has affected at least 6,000 of the exchange’s customers, according to a notification letter sent to affected customers that the company has filed with the California state attorney general offices.

  • Between March and May 20, the hacker or hackers used a flaw in Coinbase’s account recovery process to get the SMS two-factor authentication token to break into customers’ accounts and transfer funds out of them.
  • The bad actor or actors also had access to the email address, password and phone number associated with each Coinbase account. Coinbase believes that the hacker stole those credentials through a phishing scheme and noted in its letter to the California AG that it has not found evidence of the hacker getting this information from Coinbase itself.
  • “We took immediate action to mitigate the impact of the campaign by working with external partners to remove phishing sites as they were identified, as well as notifying the email providers impacted,” a Coinbase spokesperson said via email. “Unfortunately we believe, although cannot conclusively determine, that some Coinbase customers may have fallen victim to the phishing campaign and turned over their Coinbase credentials and the phone numbers verified in their accounts to attackers.”
  • Coinbase said it is compensating customers for the stolen funds, but it’s unclear whether those payments are being made in fiat or crypto.
  • The exchange recommended that users switch to a more secure version of multi-factor authentication such as a hardware security key or authentication app.
  • This appears to be one of the largest breaches to have affected Coinbase. Other notable breaches included a password glitch in August 2019 that stored 3,500 customer passwords in plain text on an internal server log, although outside parties didn’t take advantage of the vulnerability. In the same month, Coinbase revealed the details of a sophisticated attack that was blocked by Coinbase but that resembled what would normally happen in a nation state-sponsored attack.

Read more about
The Festival for the Decentralized World
Thursday - Sunday, June 9-12, 2022
Austin, Texas
Save a Seat Now

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Nate DiCamillo is a business reporter at CoinDesk with a focus on banking and economics.

CoinDesk - Unknown

Nate DiCamillo is a business reporter at CoinDesk with a focus on banking and economics.

Trending

1
CoinDesk - Unknown
How the Metaverse Could Be a Game-Changer for NFT Gaming

Rather than letting players port weapons or powers between games, non-fungible tokens will more likely serve as building blocks for new games and virtual worlds. This piece is part of CoinDesk's Metaverse Week.

Rather than letting players port weapons or powers between games, non-fungible tokens will more likely serve as building blocks for new games and virtual worlds. This piece is part of CoinDesk's Metaverse Week.

CoinDesk - Unknown
2
CoinDesk - Unknown
Arthur Hayes, ex CEO de BitMEX, es sentenciado a 2 años de libertad condicional

Hayes se declaró culpable de un cargo de violación de la Ley de Secreto Bancario (BSA) en febrero y enfrentó una sentencia de hasta 12 meses de prisión.

Hayes se declaró culpable de un cargo de violación de la Ley de Secreto Bancario (BSA) en febrero y enfrentó una sentencia de hasta 12 meses de prisión.

CoinDesk - Unknown
3
CoinDesk - Unknown
Lockheed Martin, Filecoin Foundation to Explore Hosting Blockchain Nodes in Space

The two plan to identify a test mission by August 2022.

The two plan to identify a test mission by August 2022.

CoinDesk - Unknown
4
CoinDesk - Unknown
Get Started With DESK: How to Set Up Your Wallet

Learn the first step toward using CoinDesk's relaunched social token.

Learn the first step toward using CoinDesk's relaunched social token.

CoinDesk - Unknown