Crypto exchange Coinbase disclosed that a threat actor stole cryptocurrency from 6,000 customers after using a vulnerability to bypass the company’s SMS multi-factor authentication security feature.

Coinbase is the world’s second-largest cryptocurrency exchange, with approximately 68 million users from over 100 countries.

In a notification sent to affected customers this week, Coinbase explains that between March and May 20th, 2021, a threat actor conducted a hacking campaign to breach Coinbase customer accounts and steal cryptocurrency.

To conduct the attack, Coinbase says the attackers needed to know the customer’s email address, password, and phone number associated with their Coinbase account and have access to the victim’s email account.

While it is unknown how the threat actors gained access to this information, Coinbase believes it was through phishing campaigns targeting Coinbase customers to steal account credentials, which have become common. Additionally, banking trojans traditionally used to steal online bank accounts are also known to steal Coinbase accounts.

MFA bug allowed access to accounts

Even if a hacker has access to a Coinbase customer’s credentials and email account, they are normally prevented from logging into an account if a customer has multi-factor authentication enabled.

In Coinbase’s guide on securing accounts, they recommend enabling multi-factor (MFA) authentication utilizing security keys, Time-based One Time Passwords (TOTP) with an authenticator app, or as a last resort, SMS text messages.

However, Coinbase states a vulnerability existed in their SMS account recovery process, allowing the hackers to gain the SMS two-factor authentication token needed to access a secured account.

“Even with the information described above, additional authentication is required in order to access your Coinbase account,” explained a Coinbase notification to customers seen by BleepingComputer.

“However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account.”

Once they learned of the attack, Coinbase states that they fixed the “SMS Account Recovery protocols” to prevent any further bypassing of SMS multi-factor authentication.

As the threat actor also had full access to an account, customers’ personal information was also exposed, including their full name, email address, home address, date of birth, IP addresses for account activity, transaction history, account holdings, and balances.

As the Coinbase bug allowed threat actors to access what were believed to be secured accounts, the exchange is depositing funds in affected accounts equal to the stolen amount.

“We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed — we will ensure all customers affected receive the full value of what you lost. You should see this reflected in your account no later than today,” promised Coinbase.

It is not clear if Coinbase will be crediting hacked customers with the cryptocurrency that was stolen or fiat currency. If fiat currency, it could lead to a taxable event for the victims if they had an increase in profits.

Customers who were affected by this attack can contact Coinbase at (844) 613-1499 to learn more about what is being done.

Coinbase shared the following statement when we requested more information about the attacks. However, they did not provide any further info on the SMS MFA flaw that they fixed.

“Between late April and early May, 2021, the Coinbase security team observed a large-scale phishing campaign that showed particular success in bypassing the spam filters of certain, older email services. We took immediate action to mitigate the impact of the campaign by working with external partners to remove phishing sites as they were identified, as well as notifying the email providers impacted. Unfortunately we believe, although cannot conclusively determine, that some Coinbase customers may have fallen victim to the phishing campaign and turned over their Coinbase credentials and the phone numbers verified in their accounts to attackers. Once the attackers had compromised the user’s email inbox and their Coinbase credentials, in a small number of cases they were able to use that information to impersonate the user, receive an SMS two-factor authentication code, and gain access to the Coinbase customer account. We immediately fixed the flaw and have worked with these customers to regain control of their accounts and reimburse them for the funds they lost. These large-scale, sophisticated phishing attacks are on the rise, and we strongly recommend anyone that uses online financial services to remain vigilant and take the necessary steps to protect their online identity.” – Coinbase spokesperson.

What Coinbase victims should do

Since the attack required the password of both a customer’s Coinbase and email account, it is strongly recommended that victims change their passwords immediately.

Coinbase also recommends users switch to a more secure MFA method, such as a hardware security key or an authentication app.

Finally, victims should be on the lookout for future targeted phishing emails or SMS texts that attempt to steal credentials using information exposed in the breach.

This is not the first time a bug in Coinbase’s MFA system caused issues for their customers.

In August, Coinbase accidentally alerted 125,000 customers that their 2FA settings had been changed, causing panic among those receiving the alert.

BleepingComputer has contacted Coinbase with further questions regarding this attack but has not heard back at this time.

-Update 10/1/21 11:49 AM EST: Added statement from Coinbase and link to a recent blog about the phishing attacks.
-Update 10/1/21 12:26 PM EST: Added phone number for customers impacted by the attacks to find more information.