Thousands of clients lose funds in Coinbase hack

Read time 4min 00sec

Crypto-currency exchange Coinbase has been hacked and the cyber criminals stole money from 6 000 customers’ accounts.

This is according to a breach notification issued by the exchange last week. Coinbase is an American company that provides a crypto-currency exchange platform. It operates remote-first, and lacks an official physical headquarters.

In a letter to the affected customers, it says privacy, security and transparency are central to the future of finance it is building at Coinbase.

“That is why we are writing to inform you about an unauthorised third-party gaining access to your Coinbase account and what we are doing to help you manage this.”

According to Statista, Coinbase is the eighth-biggest crypto exchange based on 24-hour volume in the world as at 14 September. The company averages about $5.5 billion 24-hour volumes.

In April, Coinbase made its landmark listing on the Nasdaq exchange via a direct stock listing.

“Unfortunately, between March and 20 May 2021, you were a victim of a third-party campaign to gain unauthorised access to the accounts of Coinbase customers and move customer funds off the Coinbase platform. At least 6 000 Coinbase customers had funds removed from their accounts, including you,” the company informs the victims.

It explains that in order to access Coinbase accounts, these third-parties first needed prior knowledge of the e-mail address, password and phone number associated with users’ Coinbase account, as well as access to their personal e-mail inbox.

“While we are not able to determine conclusively how these third-parties gained access to this information, this type of campaign typically involves phishing attacks, or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor.

“We have not found any evidence that these third-parties obtained this information from Coinbase itself.”

Even with the information described above, additional authentication is required to access a Coinbase account, says the firm.

It notes that, however, in this incident, for customers who use SMS texts for two-factor authentication, the third-party took advantage of a flaw in Coinbase’s SMS account recovery process in order to receive an SMS two-factor authentication token and gain access to the account.

“Once in your account, the third-party was able to transfer your funds to crypto wallets unassociated with Coinbase.”

As soon as Coinbase learned of this issue, it updated the SMS account recovery protocols to prevent any further bypassing of that authentication process, it says.

“We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed – we will ensure all customers affected receive the full value of what you lost,” says Coinbase.

“We will be providing free credit monitoring to affected customers who are interested and if available in your country of residence. We will be sharing information about how to obtain that service in a separate communication shortly.”

Coinbase points out it has also been working closely with law enforcement to support its investigation into the individuals behind this incident. Coinbase’s internal investigation into this incident is ongoing.

“The third-party who accessed your Coinbase account would have been able to view the following information, depending on what information you have in your account: your full name, e-mail address, home address, date of birth, IP addresses for account activity, transaction history, account holdings and balance.

“The third-party may have changed the e-mail, phone number, or other information associated with your account. We are working to restore any changed e-mails or phone numbers to their original state prior to the unauthorised activity.”

The company advises customers who currently use SMS-based two-factor authentication to use an even stronger method of securing their Coinbase accounts, such as a time-based one-time password, or a hardware security key.

“We also strongly encourage you to change the password on your Coinbase account to a new, strong and unique password that you do not use on any other site. Because the third-parties needed access to your personal e-mail account as part of this incident, we strongly encourage you to change your password in the same way for your e-mail account and for any other online accounts where you use a similar password,” it concludes.

See also