Over 6,00 Coinbase Customers Affected by Multi-Factor Authentication Hack
Author: Michael Stern
Last Updated: 1 November 2021
Coinbase, Inc., the cryptocurrency exchange company, suffered a significant breach earlier this year. Hackers used phishing emails to collect sensitive account information from over 6,000 Coinbase users.
Although Coinbase claimed to have fixed the data leak immediately, the company withheld news of this breach until a few days ago.
Coinbase Security Loophole
Since its launch in 2012 the crypto trading platform has gained repute as one of the safest and easiest channels of crypto exchange. The company provides several security measures for the digital assets of its customers. One of those security measures is an insurance policy. Coinbase has a crypto-insurance and the FDIC covers all its USD cash balances up to a maximum of $250,000.
The company stores 98% of customer funds offline to render it inaccessible to thieving hackers and reduce the risk of loss. They spread Bitcoin in locations around the world in vaults and safe deposit boxes.
Sensitive data is taken offline, encrypted and stored in FIPS-140 USB drives and paper backups. And just like Bitcoin, Coinbase distributes the drives and paper backups are distributed geographically in safe deposit boxes and vaults around the world.
These measures, however strict, were not enough to stop hackers from getting access to sensitive information and funds of Coinbase customers. Due to a flaw in the platform’s account recovery process some malicious person or persons got SMS two-factor authentication tokens of some customers.
According to a notification letter sent to affected customers that has now been filed with the California state attorney general offices, the hacking incident occurred between March and May 20. The hacker or hackers were able to get the SMS two-factor authentication code of over 6,000 customers and take out funds from their accounts.
The hacker or hackers knew the email address, password and phone number associated with every Coinbase account they hacked. The company believes that this leak did not come from Coinbase and the hackers must have gathered the information through a phishing scheme.
Hackers sent alarming emails and malicious applications directly to users’ inboxes to trick them into granting access to their emails. This was how the hackers were able to bypass security measures like device verification.
As soon as Coinbase got wind of what had happened it swung into action to repair the damage. They had all identified phishing sites taken down and spoke to email providers whose platforms had been used to perpetuate the scam.
Moving Forward
Although Coinbase thinks that some of the customers may have been deceived to hand over the account login details to the hackers. It is nonetheless making efforts to compensate customers whose funds were stolen. It is still unclear if the company is paying the compensation in cryptocurrency or fiat currency.
In the meantime, the company has advised customers to up their account security. Users have been asked to switch to a more secure multi-factor authentication app or hardware security key.
Coinbase is one of the most trusted cryptocurrency companies in the United States. As of 2021, it serves over 68 million users across 100 countries. According to this comparison by BitDegree, Coinbase is a strong competitor to Binance, another popular crypto exchange platform.
The company recently announced that its users in the US could now directly deposit paychecks in part or in full into their Coinbase account. Customers will not have to pay any fees for using the direct deposit service. Also, they are free to hold their money in dollars or transfer it into cryptocurrencies like Bitcoin instantly. The exchange costs nothing either.
With this bold move towards traditional financial services, getting hacked may have serious impacts on the company.
BWCEvent aspires to share balanced and credible details on cryptocurrency, finance, trading, and stocks. Yet, we refrain from giving financial suggestions, urging users to engage in personal research and meticulous verification.