Coinbase has admitted that hackers stole crypto from thousands of its users’ accounts over a three-month period.
The exchange has written to customers to say that at least 6,000 people were involved in an incident that started in March and ended on May 20.
An unidentified “bad actor” managed to discover the email, password, and phone number associated with victims’ accounts, allowing them to transfer crypto to their own external wallets.
Coinbase was not able to “determine conclusively how these third parties gained access to this information” but insisted it has not “found any evidence that these third parties obtained this information from Coinbase itself”.
This means victims are likely to have been tricked into handing over the information to hackers in a phishing or social engineering scam which involves sending highly convincing emails which look like they come from a legitimate source, but are actually designed to harvest passwords and other information.
Coinbase wrote to affected customers and promised to refund the stolen crypto – which is more than many banks would do if their customers fell victim to phishing. It also offered free credit monitoring to victims, so they can stop thieves from stealing their identity and taking out credit in their name.
Hackers who accessed the Coinbase accounts would have been able to view people’s full name, email address, home address, date of birth, IP addresses for account activity, transaction history, account holdings, and balance.
“The third party who accessed your account may have changed the email, phone number, or other information associated with your account. We are working to restore any changed emails or phone numbers to their original state prior to the unauthorized activity,” Coinbase said in its letter.
It “strongly encouraged” customers who currently use SMS-based two-factor authentication to use a stronger method of securing their Coinbase accounts, such as a time-based one-time password (TOTP) or a hardware security key. Users should also change their passwords immediately.
The exchange also explained what happened in a blog, which differs slightly from the letter sent to customers and alleges the incident began in April, not March.
“Between April and early May 2021, the Coinbase security team observed a significant uptick in Coinbase-branded phishing messages targeting users of a range of commonly used email service providers,” it wrote.
“Though the attack was broad, it demonstrated a higher degree of success in bypassing the spam filters of certain older email services.
“The messages used a wide variety of different subject lines, senders, and content. It sometimes sent multiple variations to the same victims. Depending on the variant of email received, different techniques to steal credentials were used as well.”
Once the attackers had compromised the user’s email inbox and their Coinbase credentials, they were able to impersonate “a small number of people”, receive an SMS two-factor authentication code, and gain access to their Coinbase customer account. After gaining access, hackers transferred funds to crypto wallets that were unassociated with Coinbase.
It is now extremely simple to launch phishing campaigns because the tools can be rented on the dark web or even found online.
We have discovered a YouTube video advertising a Coinbase phishing tool called ScamPage, which was published in May 2021. This tool can be rented for a few dollars and offers hackers access to a fake website designed to look like Coinbase’s own interface.
Although the effectiveness of this tool cannot be proven, it claims to be able to trick people into typing in their passwords.
It starts by asking targets to enter their password into a convincing login page, before inviting them to provide bank details and upload photo ID. Handing this information to hackers could prove financially disastrous.
NOTE: Coinbase has set up a dedicated phone support line for customers who have been impacted by the incident at 1 (844) 613-1499.