Victims are informed that they will be reimbursed
Cryptocurrency exchange Coinbase admitted that a flaw in its implementation of SMS authentication led to the compromise of at least 6,000 user accounts.
In a letter (PDF) to victims, the US-based exchange said a third-party player gained access to Coinbase accounts and withdraws funds.
The incident, which occurred between March and May 20, 2021, was due to a vulnerability in its two-factor authentication protocol.
Coinbase said the malicious actors were able to carry out the attack because they had prior knowledge of the email addresses, passwords and phone numbers associated with the victims’ accounts.
The company said it was unable to “conclusively determine” how the actors obtained the information, but suggested: “This type of campaign usually involves phishing attacks or other techniques. social engineering to trick a victim into unknowingly disclosing their login credentials to a bad actor. “
Coinbase added: “We have not found any evidence that these third parties obtained this information from Coinbase itself.”
Learn about the latest cryptocurrency security news
Usually, two-factor authentication methods can prevent a malicious actor from accessing an account even if they have the credentials.
However, a flaw in Coinbase’s SMS authentication allowed them to bypass this additional line of defense.
Coinbase explained, “For customers who use SMS for two-factor authentication, the third party took advantage of a loophole in Coinbase’s SMS account recovery process in order to receive an SMS two-factor authentication token. and access your account.
The company also warned that the third party could have had access to all the information of the affected accounts, which could include the victim’s full name, email address, home address, date of birth, IP addresses for the victim. account activity, transaction history, account holdings, and balance.
In the letter, Coinbase said it has “updated” its authentication protocols, but urged users to switch to using an authenticator app or a hardware security key.
Customers were also told they would be reimbursed for lost funds.
YOU MAY ALSO LIKE Bitcoin.org hack net crooks $ 17,000 overnight