An unknown attacker stole the login credentials of one of Coinbase’s employees in an attempt to gain access to the company’s systems.
While the threat actor was not able to gain direct system access, a limited amount of corporate data was exposed, including contact information belonging to multiple Coinbase employees, the company said in a blog post, adding that customer funds and data were not affected.
The incident took place earlier this month when several Coinbase’s employees received SMS messages prompting them to log in via a provided link to receive an important message. While the majority of staff ignored the SMS alert, one employee clicked on the link and entered their login credentials. After “logging in”, the employee was asked to disregard the message and thanked for complying.
Then, the attacker attempted to gain remote access to the cryptocurrency exchange platform using the obtained login and password, but was unable to provide the required Multi Factor Authentication (MFA) credentials and was blocked.
About 20 minutes later the threat actor changed tactics and called the employee posing as the Coinbase IT team and directed the victim to log into their workstation and follow some instructions.
“That began a back and forth between the attacker and an increasingly suspicious employee. As the conversation progressed, the requests got more and more suspicious. Fortunately no funds were taken and no customer information was accessed or viewed, but some limited contact information for our employees was taken, specifically employee names, e-mail addresses, and some phone numbers,” Coinbase said.
Within the first 10 minutes of the attack the company’s security team realized that something was wrong and contacted the employee via the internal Coinbase messaging system inquiring about some of the unusual behavior and usage patterns associated with their account. The employee then terminated all communications with the attacker.
Coinbase has provided some of the observed Tactics, Techniques, and Procedures (TTPs) to help other organizations identify similar attacks.