Cryptocurrency exchange Coinbase has admitted that a fault in its implementation of SMS-based authentication led to the compromise of at least 6,000 users accounts.
In a letter (PDF) to victims, the US-based exchange said that a third-party actor had gained access to Coinbase accounts and removed funds.
The incident, which happened between March and May 20, 2021, was due to a vulnerability in its two-factor authentication protocol.
Security woes
Coinbase said that the malicious actors were able to carry out the attack as they had prior knowledge of email addresses, passwords, and phone numbers associated with victims’ accounts.
The company said it is not able to “determine conclusively” how the actors obtained the information, but suggested: “This type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor.”
Coinbase added: “We have not found any evidence that these third parties obtained this information from Coinbase itself.”
Usually, two-factor authentication methods can stop a bad actor from accessing an account even if they have the credentials.
However, a flaw in Coinbase’s SMS-based authentication meant that they were able to bypass this extra line of defense.
Coinbase explained: “For customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account.”
Data breach
The company also warned that the third party could have had access to all information in the affected accounts, which could include the victim’s full name, email address, home address, date of birth, IP addresses for account activity, transaction history, account holdings, and balance.
In the letter, Coinbase said it has “updated” its authentication protocols, but urged users to switch to using an authentication app or hardware security key.
Customers were also told that they will be reimbursed for any lost funds.
