6,000 Coinbase User Accounts Hacked Due to Multi-Factor Authentication Bug

Bleeping Computer reported that cryptocurrency exchange Coinbase has notified about 6,000 customers that their accounts have been hacked due to a vulnerability in the multi-factor authentication system. From March to May 2021, unknown attackers infiltrated other people’s accounts in order to steal cryptocurrency.

Coinbase is the second largest cryptocurrency exchange in the world, used by about 68 million people from over 100 countries.

The scale of the incident is not very large, since the attack cannot be called simple. For a successful hack, the hackers needed to know the victim’s email address, password and phone number associated with the Coinbase account, as well as have access to the target’s mailbox.

It is not yet clear how attackers gained access to all this information, but phishing campaigns targeting Coinbase users have become common lately, and many banking Trojans have “learned” how to steal registered data from cryptocurrency exchanges.

Even in the case when the attackers had all the necessary data, access to other people’s funds was still protected by multifactor authentication (MFA). Coinbase recommends all users to use MFAs through hardware security keys, Time-based One Time Passwords from dedicated authentication applications, or, as a last resort, SMS text messages.

As it turned out, there was a vulnerability in the procedure for restoring an account via SMS, which allowed hackers to obtain a two-factor authentication token necessary to access the account.

Since the bug allowed cybercriminals to gain access to the so-called “secure accounts”, the exchange will compensate users for all the damage done and place funds equal to the stolen amounts on the affected accounts. “You should see this in your account no later than today,” promises Coinbase.

Since the attackers had full access to other people’s accounts, the personal information of the exchange clients was also disclosed, including full names, email addresses, home addresses, dates of birth, IP addresses, transaction history, assets and account balances.

Let me remind you that we also reported that Hackers stole $ 29 million from Cream Finance platform.