Popular cryptocurrency exchange Coinbase admitted that unknown intruders bypassed its multi-factor authentication (MFA) mechanism to steal crypto funds from over 6,000 users.
“Unfortunately, between March and May 20, 2021, you were a victim of a third-party campaign to gain unauthorized access to the accounts of Coinbase customers and move customer funds off the Coinbase platform. At least 6,000 Coinbase customers had funds removed from their accounts, including you,” Coinbase said in an official notice sent to its customers.
Vulnerability in MFA Feature
Threat actors reportedly exploited a bug in Coinbase’s SMS MFA feature to compromise user accounts and pilfer cryptocurrency. The flaw reportedly allowed hackers to receive the victims’ 2FA tokens via SMS. Third parties require prior knowledge of the email address, password, phone number associated with the Coinbase account, as well as access to the customer’s email account. While it’s still unknown how the hackers obtained the user credentials, Coinbase stated that attackers could have leveraged phishing or social engineering techniques to trick victims into unknowingly disclosing login credentials.
“We have not found any evidence that these third parties obtained this information from Coinbase itself. Even with the information described above, additional authentication is required to access your Coinbase account. However, in this incident, for customers who use SMS texts for two-factor authentication, the third-party took advantage of a flaw in Coinbase’s SMS Account Recovery process to receive an SMS two-factor authentication token and gain access to your account,” Coinbase added.
The intruders who have accessed Coinbase accounts can view sensitive user information such as full name, email address, home address, date of birth, IP addresses for account activity, transaction history, account holdings, and balance. They may also alter users’ account details like email, phone number, or other information associated with their account to transfer funds illicitly. Coinbase clarified that it is working to restore any changes made by attackers to customer accounts.
Coinbase immediately updated its SMS Account Recovery protocols to prevent further bypassing of the authentication procedures. The company also announced that it deposited funds into the affected user accounts along with free credit monitoring services. While the threat actors behind the security incident are unknown, Coinbase stated it’s closely working with law enforcement authorities to investigate the incident.
Meanwhile, the company urged its customers to update their account login credentials and use a robust authentication procedure such as a time-based, one-time password (TOTP) or a hardware security key.