6,000 Coinbase Users Affected by Multi-Factor Authentication Bug
Bleeping Computer has reported that the cryptocurrency exchange Coinbase has notified around 6,000 customers that their accounts were compromised due to a vulnerability in its multi-factor authentication (MFA) system. From March to May 2021, unknown attackers gained access to user accounts to steal cryptocurrency.
Coinbase is the world’s second-largest cryptocurrency exchange, serving about 68 million users across more than 100 countries. While the scale of the incident is not massive, the attack was far from simple. To successfully breach an account, hackers needed to know the victim’s email address, password, and phone number linked to their Coinbase account, as well as have access to the victim’s email inbox.
It remains unclear how the attackers obtained all this information, but phishing campaigns targeting Coinbase users have become increasingly common, and many banking trojans have learned to steal credentials from cryptocurrency exchanges.
How the Attack Bypassed MFA
Even when attackers had all the necessary credentials, MFA was supposed to protect user funds. Coinbase recommends that all users enable MFA using hardware security keys, one-time passwords from authentication apps (Time-based One Time Passwords), or, as a last resort, SMS text messages.
However, it was discovered that the account recovery process via SMS contained a vulnerability. This flaw allowed hackers to obtain the two-factor authentication token required to access the account.
“During this incident, which affected customers using SMS for two-factor authentication, a third party exploited a vulnerability in Coinbase’s SMS account recovery process to receive the two-factor authentication token via SMS and gain access to user accounts,” company representatives explained.
Coinbase’s Response and User Recommendations
Because the bug allowed attackers to access so-called “protected accounts,” Coinbase will reimburse users for any losses and restore funds equal to the stolen amounts. “You should see this reflected in your account no later than today,” Coinbase promised.
Since attackers had full access to compromised accounts, personal information was also exposed, including full names, email addresses, home addresses, dates of birth, IP addresses, transaction history, assets, and account balances.
As the attack required both the Coinbase account password and access to the user’s email, victims are strongly advised to change their passwords immediately. Coinbase also recommends that all users switch to a more secure MFA method, such as a hardware security key or an authenticator app.