Threat actors exploit a flaw in Coinbase 2FA to steal user funds

Threat actors stole funds from the accounts of more than 6,000 users of the crypto exchange Coinbase exploiting a flaw to bypass 2FA authentication.

Threat actors have exploited a vulnerability in the SMS-based two-factor authentication (2FA) system implemented by the crypto exchange Coinbase to steal funds from more than 6,000 users.

According to a data breach notification letter filed with US state attorney general offices, the attackers with the knowledge of their username and password and phone number associated with the account, were able to steal funds bypassing the SMS-based authentication.

“Unfortunately, between March and May 20, 2021, you were a victim of a third-party campaign to gain unauthorized access to the accounts of Coinbase customers and move customer funds off the Coinbase platform. At least 6,000 Coinbase customers had funds removed from their accounts, including you.” reads the data breach notification letter. 

“In order to access your Coinbase account, these third parties first needed prior knowledge of the email address, password, and phone number associated with your Coinbase account, as well as access to your personal email inbox.”

Attackers exploited a flaw in Coinbase’s SMS Account Recovery process to receive an SMS two-factor authentication token. Once discovered the campaign, the company updated its SMS Account Recovery protocols.

The company has yet to determine how attackers obtained the above information, they likely gained access to the data through phishing attacks, anyway, it excluded that they obtained the data from the company itself.

“We have not found any evidence that these third parties obtained this information from Coinbase itself,” the company continues.

The cryptocurrency exchange announced it will reimburse all impacted users and already started to send them the refunds.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cryptocurrency)

[adrotate banner=”5″]

[adrotate banner=”13″]