At least 6,000 Coinbase users had their funds stolen after hackers exploited a vulnerability to bypass the company's SMS multi-factor authentication security feature.
Currently, Coinbase is a second-largest cryptocurrency exchange in the world, behind Binance.
In a breach notification letter sent to customers the company said that between March and May 20, 2021, an unauthorized third party gained access to the accounts of Coinbase customers and moved customer funds off the Coinbase platform.
The company explained that in order to gain access to the customers’ accounts a threat actor needed prior knowledge of the email address, password, and phone number associated with the victim’s Coinbase account, as well as access to the personal email inbox.
“In this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account … Once in your account, the third party was able to transfer your funds to crypto wallets unassociated with Coinbase,” Coinbase said.
“While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor.
“We have not found any evidence that these third parties obtained this information from Coinbase itself,” the company said.
Coinbase has also promised to reimburse all customers who lost funds due to the incident.