Coinbase, the second largest exchange in the world, with 68 million users, is known for being one of the safest. However, a recent report showed that the platform is not immune to security incidents.
According to a document by Bleeping Computer, 6,000 Coinbase users had their funds stolen. This was due to a bug in the SMS account recovery process.
The hacker behind the attack was able to gain access to accounts by intercepting SMS text messages with verification codes.
As the report points out, victims were likely targeted by widespread phishing campaigns.
Coinbase says it will return funds
This week, Coinbase sent a notification to affected customers explaining what happened.
According to the exchange, between March and May 20, 2021, a “threat actor” conducted a hacking campaign to breach the platform’s customer accounts and steal cryptocurrencies.
In the attack, attackers needed to know the customer’s email address, password and phone number associated with the Coinbase account. Only then were they able to gain access to the victim’s account.
The exchange believes they were able to obtain this data through massive phishing campaigns. After the breach, the largest crypto platform in the United States promised to reimburse its affected customers:
“We will be depositing funds into your account equal to the amount of currency improperly removed from your account at the time of the incident. Some customers have already been refunded. We will ensure that all affected customers receive the full amount lost.”
A Coinbase Spokesperson he said to Insider that the company’s security team found a large-scale phishing campaign that showed “particular success in bypassing the spam filters of certain older email services.”
Coinbase said it took immediate steps to mitigate the impact of the fraud. Among other things, it worked with external partners to remove sites when identified and notify affected email providers.
To access a Coinbase account, two-factor authentication is also required. But in this incident, for customers using SMS for authentication, the third party was able to exploit a flaw in the account recovery process.
“Once in their account, the third party was able to transfer their funds to non-Coinbase crypto wallets,” the exchange said.
Read also: After ‘pedaling’ approval in the US economy, Bitcoin rises more than 10%
Also read: Police find 522 Bitcoins suspected of participating in fraudulent scheme
Read also: US won’t ban Bitcoin as China did, Fed chairman assures