- TunnelBear VPN review: An affordable, easy-to-use VPN with few a few notable pitfalls
- VMware Product Release Tracker (vTracker)
- I use this cheap Android tablet more than my iPad Pro - and it costs a fraction of the price
- One of my favorite budget tablets this year managed to be replace both my Kindle and iPad
- I tested DJI's palm-sized drone, and it captured things I had never seen before
Coinbase Attackers Bypassed Account Authentication
US cryptocurrency exchange Coinbase is facing a backlash from its users after notifying them that at least 6,000 customers had their funds stolen by hackers.
The “third-party campaign” took place between March and May 20, 2021.
“In order to access your Coinbase account, these third parties first needed prior knowledge of the email address, password, and phone number associated with your Coinbase account, as well as access to your personal email inbox,” the firm explained in a breach notification letter.
“While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor. We have not found any evidence that these third parties obtained this information from Coinbase itself.”
However, while Coinbase does not appear to have been responsible for the initial data leak, which enabled the first stage of the attack, a crucial flaw in its authentication process was to blame for the unauthorized account access.
“Even with the information described above, additional authentication is required in order to access your Coinbase account,” it continued.
“However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account.”
Coinbase, the world’s second-largest cryptocurrency exchange with tens of millions of global users, said it would reimburse customers the full value of their losses. The firm has also updated its SMS Account Recovery protocols to ensure authentication can’t be bypassed in a similar way in the future.
However, it warned that, while inside hacked accounts, unauthorized third parties would have access and potentially changed details. These details include full name, email and home address, date of birth, IP address for account activity, transaction history, account holdings and balance.
This isn’t the first time Coinbase has been in the news following a security breach. In 2019 it was forced to halt trading of Ethereum Classic (ETC) after spotting “double spend” attacks totalling more than $1m.
Hacked Coinbase accounts are said to be worth as much as $610 apiece on the cybercrime underground.
