Coinbase, a major U.S.-based bitcoin and cryptocurrency exchange, disclosed today that a hacker was able to bypass the company’s SMS multi-factor authentication mechanism and steal funds from 6,000 users, Bleeping Computer reported.
The breach of Coinbase customers’ accounts happened between March and May 20, 2021, in a hacking campaign that combined phishing scams and a vulnerability exploit on the company’s security measures.
The U.S.-based exchange, which has approximately 68 million users from more than 100 countries, reportedly said that in order to conduct the attack, the hackers needed to know the user’s email address, password, and phone number, as well as have access to their email accounts. It is not clear how the hackers gained access to that information.
“In this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account,” Coinbase told customers in electronic notifications.
Beyond stealing funds, the hackers also exposed customers’ personal information, “including their full name, email address, home address, date of birth, IP addresses for account activity, transaction history, account holdings, and balances,” per the report.
The IPO happened in April. There is no way Coinbase didn’t know about this then! Maybe this is related to the heavy selling from company executives?