Not sure why this is coming out when it is, but 6,000 accounts were hacked due to a “vulnerability” in Coinbase’s SMS 2 factor authentication system. Coinbase can’t say for certain how the hackers got in, but they do say the hackers would have needed account email addresses, phone numbers and passwords to make that happen. The possibility that the account holders were victims of phishing attempts or social engineering are most likely.
Luckily, Coinbase is refunding anyone exposed to this hack, which is the right thing to do.
Not much is being shared about why this is news was just released in September, which leads me to believe either the CA DOJ was involved in that decision, or Coinbase was trying to time the market.
The official notice from Coinbase can be found here
Again, the hack appears to have started outside of Coinbase’s network and control, but then was helped on by a bug in their SMS-based identify verification system.
In order to access your Coinbase account, these third parties first needed prior knowledge of the email
address, password, and phone number associated with your Coinbase account, as well as access to your personal email inbox. While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor. We have not found any evidence that these third parties obtained this information from Coinbase itself. Even with the information described above, additional authentication is required in order to access your Coinbase account. However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account
Coinbase is recommending user move away from SMS based authentication, in favor of time-base one-time passwords (TOTP ) or security keys,
.
Finding a bug in a SMS authentication process sounds advanced to me. I think these hackers are gone…I imagine the hackers won’t leave much in identifying information behind.
SMS based security is not really considered secure at all. Time to stop offering that. I have big-bank bank accounts that still use SMS based identity verification with no other options other than a phone call.