According to Bleeping Computer, bad actors were able to infiltrate and steal cryptocurrency from approximately 6,000 Coinbase customers by exploiting a multi-factor authentication flaw.
According to the publication, the cryptocurrency exchange’s security team observed a large-scale phishing campaign targeting its users between April and early May 2021.
Some users may have been duped into opening the malicious emails, allowing hackers access to their usernames and passwords. Worse, even those who had multi-factor authentication enabled were vulnerable due to a flaw in the exchange’s system.
Coinbase stated in the notification [PDF] it sent to affected customers that bad actors exploited a vulnerability in its SMS Account Recovery process. This allowed the hackers to obtain the two-factor token, which was supposed to be sent to the account owner’s phone number via text message.
Coinbase suggests using two-factor authentication with a security key on its website followed by an authenticator app. SMS authentication is listed as a last resort, and users are advised to lock their mobile accounts to protect themselves from SIM swap scams or phone port fraud.
Coinbase also notified 125,000 users in August that their two-factor settings had changed, but the exchange stated at the time that the notification was sent in error and was not the result of a hack.
Coinbase stated in a letter to customers that it corrected its SMS Account Recovery protocols as soon as it became aware of the problem. It is also reimbursing anyone who has lost cryptocurrency as a result of the event.
Those who were affected by the hack may want to ensure that all of their other accounts are secure, like their names, addresses, and other sensitive information were exposed when their accounts were infiltrated.