Last August, we brought you news of what was called the biggest heist ever. PolyNetwork, a decentralized finance (DeFi) firm working on interoperability of crypto coins was hacked, and $600 million worth of cryptocurrencies were transferred out. Just days after this event, Japanese cryptocurrency exchange Liquid was also hacked, the firm reported, this time losing $90 million in cryptocurrency.
Now, crypto exchange Coinbase, the world's second-largest cryptocurrency exchange, revealed that a threat actor stole cryptocurrency from 6,000 of its customers. The theft was conducted using a vulnerability that allowed the nefarious actors to bypass the company's SMS multi-factor authentication security feature.
In short, the flaw allowed those behind the hack to receive the victims' 2FA tokens via text.
Coinbase sent a statement addressed to the victims of the heist. The message revealed that the issue took place over several weeks, at least. "Unfortunately, between March and May 20, 2021, you were a victim of a third-party campaign to gain unauthorized access to the accounts of Coinbase customers and move customer funds off the Coinbase platform. At least 6,000 Coinbase customers had funds removed from their accounts, including you," the statement read.
The firm went on to explain that, for the theft to occur, the hackers needed knowledge of the email address, password, and phone number associated with the users' Coinbase accounts, as well as access to their personal email inbox.
That's obviously a lot of information.
The firm presumed that that data was acquired through phishing attacks or other social engineering techniques since there was no evidence whatsoever that these third parties obtained this information from Coinbase itself.
However, as noted, Coinbase specified that the thieves did take advantage of a flaw in their SMS Account Recovery process. The firm also explained that they were updating their SMS Account Recovery protocols to thwart any future thefts and that the victims of the theft would be reimbursed.
Reality, it seems, plays out a little differently.
Coinbase has been slammed by numerous customers, who say the company has exhibited terrible customer service after hackers drained their accounts, according to CNBC. Interviews conducted with Coinbase customers and reviews of thousands of complaints ultimately reveal a pattern of account takeovers and, subsequently, poor customer service from Coinbase that left users hanging.
Additionally, the promises from the company do not change the fact that the actors had full access to an account, and that they were also privy to all kinds of personal information regarding Coinbase customers as a result. Coinbase has approximately 68 million users from over 100 countries.