Coinbase Promises to Deposit Stolen Funds to At Least 6,000 Hacked Accounts
Cryptocurrency exchange Coinbase, which has about 68 million users globally, disclosed this week that hackers stole from at least 6,000 of its customers.
According to a breach notification letter sent by the exchange to affected customers, hackers used a vulnerability to bypass Coinbase’s SMS multi-factor authentication security feature.
The attack took place between late April and early May this year, as per the copy of the letter posted on the website of California’s Attorney General. By exploiting a flaw in the company’s SMS account recovery process, unauthorized third parties gained access to the accounts and then transferred the funds to outside crypto wallets.
“We immediately fixed the flaw and have worked with these customers to regain control of their accounts and reimburse them for the funds they lost,” a Coinbase spokesperson said on Friday.
The company said to successfully attack, hackers needed to have email addresses, passwords, and phone numbers associated with the affected accounts along with having access to the victim’s email account. But said there was no evidence to suggest the information was obtained from the company.
While it is not yet known just how the attackers gained access to all the information, Coinbase believes it was through phishing campaigns that attackers stole customers’ account credentials.
But even if a hacker has access to customers’ email accounts and credentials, they would still be prevented from logging into an account if multi-factor authentication has been enabled.
Here, Coinbase noted that due to a vulnerability that existed in their SMS account recovery process, it allowed the hackers to gain the SMS two-factor authentication needed to access a secured account.
Due to the fact that it was a bug in Coinbase’s SMS Account Recovery process allowing threat actors access to accounts, the exchange is depositing funds in affected accounts equal to the stolen amount.
“We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed — we will ensure all customers affected receive the full value of what you lost. You should see this reflected in your account no later than today.”