Coinbase reports 6,000 crypto account hacks after SMS flaw
Hackers used an unusual vulnerability to steal crypto from user accounts at the American crypto exchange.
Coinbase said it would reimburse the stolen amounts to make up for damages and did not report further security breaches as of press time.
The hackers exploited a vulnerability to bypass the SMS authentication feature put in place by Coinbase to ensure user security. They illicitly gained access to user email addresses, passwords, and associated phone numbers, and used this information to log in.
Hackers may have conducted large-scale phishing campaigns to gain access to such sensitive information—said Coinbase—one that unsuspecting users willingly gave out.
Banking trojan viruses have, in addition, been known to hit Coinbase users in the past.
Inside the Coinbase hit
As part of its security, hackers with access to a Coinbase customer’s credentials and email account are normally prevented from logging into an account if a customer has multi-factor authentication enabled.
However, Coinbase said a vulnerability existed in their SMS account recovery process, allowing the hackers to gain the SMS two-factor authentication token needed to access a secured account.
“Even with the information described above, additional authentication is required in order to access your Coinbase account,” a notification read.
It added, “In this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account.”
Coinbase patched the bug shortly after it was discovered. Meanwhile, the exchange said it would reimburse the stolen funds directly into the accounts of affected users.
“We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed — we will ensure all customers affected receive the full value of what you lost. You should see this reflected in your account no later than today,” a notice sent to users read.