Coinbase Attackers Bypassed Account Authentication

US cryptocurrency exchange Coinbase is facing a backlash from its users after notifying them that at least 6,000 customers had their funds stolen by hackers.

The “third-party campaign” took place between March and May 20, 2021.

“In order to access your Coinbase account, these third parties first needed prior knowledge of the email address, password, and phone number associated with your Coinbase account, as well as access to your personal email inbox,” the firm explained in a breach notification letter.

“While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor. We have not found any evidence that these third parties obtained this information from Coinbase itself.”

However, while Coinbase does not appear to have been responsible for the initial data leak, which enabled the first stage of the attack, a crucial flaw in its authentication process was to blame for the unauthorized account access.

“Even with the information described above, additional authentication is required in order to access your Coinbase account,” it continued.

“However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account.”

Coinbase, the world’s second-largest cryptocurrency exchange with tens of millions of global users, said it would reimburse customers the full value of their losses. The firm has also updated its SMS Account Recovery protocols to ensure authentication can’t be bypassed in a similar way in the future.

However, it warned that, while inside hacked accounts, unauthorized third parties would have access and potentially changed details. These details include full name, email and home address, date of birth, IP address for account activity, transaction history, account holdings and balance.

This isn’t the first time Coinbase has been in the news following a security breach. In 2019 it was forced to halt trading of Ethereum Classic (ETC) after spotting “double spend” attacks totalling more than $1m.

Hacked Coinbase accounts are said to be worth as much as $610 apiece on the cybercrime underground.

What’s Hot on Infosecurity Magazine?