Hackers leveraged a vulnerability in the bitcoin exchange’s SMS recovery system to steal cryptocurrency from 6,000 customers.
Coinbase, a major U.S.-based bitcoin and cryptocurrency exchange, disclosed today that a hacker was able to bypass the company’s SMS multi-factor authentication mechanism and steal funds from 6,000 users, Bleeping Computer reported.
The breach of Coinbase customers’ accounts happened between March and May 20, 2021, in a hacking campaign that combined phishing scams and a vulnerability exploit on the company’s security measures.
The U.S.-based exchange, which has approximately 68 million users from more than 100 countries, reportedly said that in order to conduct the attack, the hackers needed to know the user’s email address, password, and phone number, as well as have access to their email accounts. It is not clear how the hackers gained access to that information.
“In this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account,” Coinbase told customers in electronic notifications.
Beyond stealing funds, the hackers also exposed customers’ personal information, “including their full name, email address, home address, date of birth, IP addresses for account activity, transaction history, account holdings, and balances,” per the report.
Security should be a priority for online services, but most especially for financial services. Companies that deal with customers’ money, either in USD or cryptocurrency, should not offer SMS as a recovery option at all since it is the most easily exploited. And when they do, users should abstain from using SMS for account recovery or multi-factor authentication.
Better options for protecting your account are authentication apps and physical hardware such as YubiKeys. More importantly, you can and should protect your accounts with strong passwords and a suitable password manager like Bitwarden.
Nonetheless, users can also take back their sovereignty by opting out of centralized services altogether. Bitcoin exchanges like Coinbase represent a single point of failure, effectively becoming a hotbed for data exploits, regardless of the security standards they claim to live by. Centralized custodians and providers often get exploited; decentralized alternatives exist and should be leveraged. Think very carefully before handing your personal information to a third party.