Hackers Exploit Coinbase Vulnerability to Steal Crypto from 6,000 Users

US crypto exchange Coinbase recently disclosed that funds from at least 6,000 customers were removed from their accounts by hackers who took advantage of a bug in its SMS multi-factor authentication (MFA). 

SMS MFA is a security feature that allows users to authenticate and log in to their accounts by entering a security token sent to them via SMS. This adds an extra layer of security to users and helps prevent unauthorised logins. 

Coinbase Says Hacker Exploited a Bug in its MFA

A letter posted by Coinbase on the Attorney General of California’s website shows the incident took place between March and May this year.

For customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account.

Advertisement

Coinbase letter to users

The success of the attack means the hackers already knew victims’ personal information such as their email, phone number and password. The exchange says it’s unclear how the attackers were able to gain access to the information. However, chances are the information was gleaned from social engineering tricks or phishing attacks, which are not unknown to Coinbase and the crypto market in general. 

The total value of cryptocurrency lost in the SMS multi-factor authentication breach wasn’t disclosed, but the exchange said it had repaid the funds to affected users. 

We immediately fixed the flaw and have worked with these customers to regain control of their accounts and reimburse them for the funds they lost.

Coinbase

Lax Security, Poor Customer Service

Inarguably the leading cryptocurrency exchange in the US, Coinbase has approximately 68 million users from more than 100 countries, yet the exchange is often criticised for its lax security and poor customer service. 

In August, the exchange erroneously sent a message to about 125,000 customers, informing them that their 2FA settings had been changed. It subsequently had to compensate affected users for the impact of the incident on their trust in Coinbase.