Hackers stole cryptocurrency from about 6,000 Coinbase accounts after bypassing multi-factor authentication in a suspected phishing campaign, a filing with the California state Attorney General’s office disclosed.
According to the data breach notification, the hackers leveraged a flaw in the platform’s account recovery process to hijack the two-factor authentication SMSes.
The Coinbase hack, first reported by Bleeping Computer, happened between March and May 2021.
The cryptocurrency exchange platform has about 68 million users in over 100 countries.
Coinbase hack originated from a third-party breach
Coinbase says that the hackers required personal information like email address, password, and phone number to complete the Coinbase hack. However, the cryptocurrency exchange platform said the hackers obtained information from a third-party source.
Coinbase breach notification indicated that the platform had no “evidence that these third parties obtained this information from Coinbase itself.” Additionally, the cryptocurrency exchange platform suggested that the information originated from phishing and social engineering campaigns.
On Sept 27, CoinBase said it had observed a campaign of “Coinbase-branded phishing messages” targeting “commonly used email service providers.” Coinbase described the campaign as highly successful and capable of bypassing spam filters of certain older email services.
According to the blog post, suspected hackers sent messages with different subject lines, content, and senders or different versions of the same phishing messages with different data-stealing techniques.
“Unfortunately, we believe, although cannot conclusively determine, that some Coinbase customers may have fallen victim to the phishing campaign and turned over their Coinbase credentials and the phone numbers verified in their accounts to attackers,” the company said in an email statement.
Coinbase acknowledged a multi-factor authentication flaw, reimburses the stolen crypto
Coinbase acknowledged a multi-factor authentication flaw that allowed hackers to receive an SMS-based two-factor authentication token required to retrieve user accounts.
“In this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account,” Coinbase admitted.
The company assured users that it had since fixed the “SMS Account Recovery protocols to prevent any further bypassing of that authentication process.”
Additionally, Coinbase promised to reimburse the “full value” of cryptocurrency stolen in the Coinbase hack. Some of the affected customers had reportedly received their cryptocurrency back.
The crypto exchange platform also advised its users to enable multi-factor authentication based on a security key or time-based one-time password (TOTP) with an Authenticator App. The platform describes SMS authentication as the last resort because of the possibility of third-party sim swaps.
The platform also promised to work with third parties to remove the phishing sites potentially used in the Coinbase hack.
Coinbase has suffered several breaches, including the August 2019 data exposure that stored 3,500 plaintext user passwords on a server log. The platform also warded off a suspected state-sponsored attack in the same month. However, no user data was exposed to third parties in both attacks.
“This once again and further drives home the fact that SMS-based two-factor authentication is fundamentally insecure and should not be considered a best practice,” says Chris Clements, VP of Solutions Architecture, Cerberus Sentinel.
“In this case, it appears to be a bug in Coinbase’s implementation, but SIM swap and other attacks are rampant with SMS-based 2FA,” Clements continued. “I know SMS-based 2FA can be convenient and easy to use, but the same way your bank won’t let you pick the password ‘password,’ organizations should disallow usage of SMS-based verification.”
Coinbase hack leaked personally identifiable information
Apart from transferring funds, the Coinbase hack also exfiltrated users’ personally identifiable information (PII), including full names, birth dates, IP addresses, email, home addresses, account holdings, balances, account activity, and transaction history.
The affected users will likely become victims of other phishing attacks exploiting their personally identifiable information leaked in the CoinBase hack.
Furthermore, some account owners may not immediately be aware that their accounts were breached. These accounts could be auctioned on the dark web marketplaces for decent prices. According to Privacy Affairs 2021 Dark Web price index report, compromised crypto account fetch about $610 on underground forums. It remains unclear whether the threat actors who breached these accounts compromised the accounts themselves or sold them to other threat actors.
Roger Grimes, a Data-Driven Defense Evangelist at KnowBe4 and the author of Hacking Multi-factor Authentication (Wiley), says the CoinBase hack is not new. “This is not the first time MFA-using Coinbase customers have been compromised. It is at least the second or third time. So, this is not new.”
He added that SMS-based multi-factor authentication methods could be hacked in multiple ways and “are among the most hackable” security solutions.
He also noted that in 2017, the U.S. National Institute of Standards and Technology (NIST) Digital Identity Guidelines SP800-63 discouraged SMS-based multi-factor authentication use in protecting valuable data. “They even reserved the future right to remove it as an allowed MFA solution completely,” Grimes continued. “And yet, SMS-based MFA is probably the most used MFA solution on the internet today.
Grimes noted that most customers use SMS-based multi-factor authentication without knowing its vulnerability most of the time because the vendors force them.
