[2021-10-02] Coinbase says hackers stole cryptocurrency from at least 6,000

[DaveF]

https://www.reuters.com/business/finance/coinbase-says-hackers-stole-cryptocurrency-least-6000-customers-2021-10-01/

Oct 1 (Reuters) - Hackers stole from the accounts of at least 6,000 customers of Coinbase Global Inc (COIN.O), according to a breach notification letter sent by the cryptocurrency exchange to affected customers.

The hack took place between March and May 20 of this year, according to a copy of the letter posted on the website of California's Attorney General.

But later in the article:

The hackers needed to know the email addresses, passwords and phone numbers linked to the affected Coinbase accounts, and have access to personal emails, the company said.

So if they had all that info from that many people it really sounds like the headline should be:

6000 people who used the same username and password for their coinbase & email & cell phone accounts were robbed because they had really poor opsec.
Sorry but if they had access to someone's email & cell phone accounts Coinbase and their BTC is not their only problem at this point.

IMO the only reason it made any kind of news is because it was Coinbase / Bitcoin.
If this happened to 6000 people with Bank Of America checking accounts, there would probably be no headlines about it at all.

-Dave

[1714120043]

1714120043

[1714120043]

1714120043

[1714120043]

1714120043

[1714120043]

1714120043

[o_e_l_e_o]

6000 people who used the same username and password for their coinbase & email & cell phone accounts were robbed because they had really poor opsec.

Almost certainly they were also using the same email and password for some other account which was then part of a database hack or leak, many of which are circulated freely online. Anyone can then use those details to log in to your email account and then search for anything which might be valuable, such as a linked exchange account or web wallet.

The article also says "Unauthorized third parties exploited a flaw in the company's SMS account recovery process to gain access to the accounts." I don't own a Coinbase account, but is this linked to accounts which are using SMS as a 2FA? I've said it many times before - SMS is not secure in the slightest. They are transmitted unencrypted, can be intercepted, and an attacker can transfer your phone number to their phone in one five minute phone call to your carrier. Don't use SMS for anything sensitive or valuable.

[NeuroticFish]

Since I already answered to another topic about this, I'll cross-post:

Some points before people starts panicking:

The hack took place between March and May 20 of this year

The hackers needed to know the email addresses, passwords and phone numbers linked to the affected Coinbase accounts, and have access to personal emails

Although obviously Coinbase said that there's no evidence that the users' data comes from them, it looks too much like it. Either somebody from inside has sold users' data to a malicious 3rd party, either Coinbase user database was hacked and they didn't notice. Of course, from there to actually accessing users' e-mails there's still some work to do.

The warning, however, is the same as always: don't keep at centralized exchanges too much money and for too long. Not your keys, not your coins.

I'll only add that why is this getting publicized this heavily ... now? Are they running out of "bitcoin is bad" news?

[o_e_l_e_o]

I'll only add that why is this getting publicized this heavily ... now? Are they running out of "bitcoin is bad" news?

Is it a little bit suspicious to anyone else that a flaw in Coinbase's system which resulted in 6,000 people having their coins stolen, and which happened right at the time of their IPO, wasn't made public for ~6 months after the event? I'm certain that people buying their shares would have been interested to know of a critical vulnerability such as this.

[dansus021]

is 6000 data that hacked is public i mean are we know is our data is safe? from DeFi to Centralized Exchange hacker is pop up everywhere become one reason public hate about crypto

[InvoKing]

is 6000 data that hacked is public i mean are we know is our data is safe? from DeFi to Centralized Exchange hacker is pop up everywhere become one reason public hate about crypto

If you fear about your data, change your password and don't use the same in more than 1 of your accounts. Of course don't use exchanges or any other wallet type that don't allow you to have your private keys.

[Lucius]

I'll only add that why is this getting publicized this heavily ... now? Are they running out of "bitcoin is bad" news?

If something happened 6+ months ago, and we only find out now - then it is very obvious that the publication of such news is directed either in the direction of creating some kind of panic, or perhaps rather in the direction of showing how quickly Coinbase acts in such situations and that all damaged users are compensated.

"We immediately fixed the flaw and have worked with these customers to regain control of their accounts and reimburse them for the funds they lost," a Coinbase spokesperson said on Friday.

The message they send in this way is more than clear, "even if you are hacked, the company will compensate you", which in some way encourages users to use their account as crypto storage.

[davis196]

It would be interesting to know how the hackers gathered all this data of emails and passwords.
I know that account cracking is a thing.AFAIK,there is a software called Openbullet,which is being used for cracking various online accounts.
All the things needed are the software,configs about the websites,combolists(a bunch of emails/password combinations),proxies and a VPS/RDP,so the software could run 24/7.
I know that Coinbase accounts have been cracked before,by using this cracking tool,but I don't know how the hackers managed to bypass the 2Factor Authentication.I guess that there was a flaw in the 2FA system,which was exploited.
The other option is all this account data being leaked from the Coinbase database,I guess.
Anyway,I hope the hackers will be caught and the people are getting back their coins,just like Coinbase had promised.

[sanjusajan]

This is all the hackers work who are rubbing all of the money from the workers and exchange .they have hacked many more hunters wallet as well they only hack those exchange and wallet who haven't done their security properly and if there is any mistake at any time the hackers are waiting for that time and they attack so the exchange should make strong security and they have to update it according to their system and time.

[o_e_l_e_o]

If you fear about your data, change your password and don't use the same in more than 1 of your accounts. Of course don't use exchanges or any other wallet type that don't allow you to have your private keys.

This is good advice to secure your coins. This does nothing to secure your data. It doesn't matter how secure your account is, how strong your password is, what 2FA you have activated; if the exchange's database gets hacked or they decide to sell information to third parties, then say goodbye to your data and your privacy.

but I don't know how the hackers managed to bypass the 2Factor Authentication.I guess that there was a flaw in the 2FA system,which was exploited.

As I explained above, SMS as a 2FA method is not in the least bit secure. Neither is email for that matter, since if an attacker can access your email account to reset your password, they can also receive any 2FA code, meaning your account is only secured by one factor - your email account. Both of these methods are barely better than not using any 2FA at all. If you want secure 2FA you should be using a 2FA app on a device which never logs in to any of your accounts as a minimum, put preferably a hardware key.

[NeuroticFish]

The message they send in this way is more than clear, "even if you are hacked, the company will compensate you", which in some way encourages users to use their account as crypto storage.

While it's arguable how will the users get compensated, since in many cases it happens late or in the least favorable currency (I don't know if it's the case at Coinbase), indeed, people see they get compensated, people see that the withdrawal fees are big and then just keep their money there. Sad...

[bryant.coleman]

While it's arguable how will the users get compensated, since in many cases it happens late or in the least favorable currency (I don't know if it's the case at Coinbase), indeed, people see they get compensated, people see that the withdrawal fees are big and then just keep their money there. Sad...

I don't even think that Coinbase has the liability to compensate these users. The company can just argue that the hack resulted because the users relied on weak passwords which were used on multiple websites. And if I am not wrong, this goes against their T&C, which the user needs to agree upon before creating an account with Coinbase. The victims need to prove that there was a lapse from the part of Coinbase and the support didn't responded to the theft on time. Even if the court agree with that, the entire process is going to take some time.

[o_e_l_e_o]

I don't even think that Coinbase has the liability to compensate these users. The company can just argue that the hack resulted because the users relied on weak passwords which were used on multiple websites.

It does not matter how secure or otherwise the user's password is, or indeed if they are using 2FA - if their account is hacked through no fault of Coinbase then they will not receive any compensation. Coinbase don't know if the user is using an unencrypted 2FA app on an phone without a password with their account username and password written on a post it note and stuck to the back of the phone.

In this case, though, Coinbase admitted that at least part of the hack was their fault due to a vulnerability in their SMS system, which is why they are compensating users. In the vast majority of account hacks, the user would receiving nothing in compensation.