Has my data been breached?

[Ultegra134]

I received the following text on my phone yesterday, which alarmed me. I have a Coinbase account but never actually use it, however, that's not the case. How the heck did I receive this message? My main concern isn't the Coinbase account, but the probability of having a data breach, which could potentially be used as a gateway to other accounts.

Could it be a random coincidence, is there a way to see my recent login locations on Coinbase?

[1715127590]

1715127590

[1715127590]

1715127590

[1715127590]

1715127590

[noorman0]

Never experienced it so far I've never used a phone number for the exchange access method. My presumptions:
- Your number is used by someone else to sign up to Coinbase.
- Someone else is trying to access your account with your phone number (if it's connected). To be sure, you just need to check your login session history.

You just need to be careful with your phone number, I read one hack story that phone numbers can be bypassed.

[DdmrDdmr]

<...>

Although what you received is an SMS and not an email, the following link provides information on how to check if anyone has manages to access your account (it will display failed attempts too apparently):
https://help.coinbase.com/en/coinbase/privacy-and-security/avoiding-phishing-and-scams/why-did-i-receive-an-unexpected-device-confirmation-email

This thread shows a case similar in nature to yours:
https://www.reddit.com/r/CoinBase/comments/qpy5qk/constant_text_verification_codes/

I’d start by checking the logs, and then perhaps contacting Coinbase to see if the SMS’s origin (number) is really theirs and so forth.

[TheNineClub]

Sure, it could be a random coincidence, nothing new with technology going apeshit. However, I think that maybe a breach didn't happen, but someone did try to breach it and a verification code was sent to your phone and they are out of luck. Maybe. I mean, the technology is getting better and better and data breachers have a lot more tools at their disposal nowadays, so I wouldn't be surprised. The best thing to do is to contact Coinbase customer service and let them guide you to the best solution on how to check this.

[vv181]

Another thing you can do is you can check whether your email has been leaked or not using https://haveibeenpwned.com/. Just to be safe, make sure you aren't using the same password across different websites.

I was also once got an unknown sign in attempt on my unused Coinbase account, even I know the IP and the device who trying to access my account, there's nothing I can do except to not reuse the same password and active 2FA on many other online accounts.

[cryptoaddictchie]

Sure, it could be a random coincidence, nothing new with technology going apeshit. However, I think that maybe a breach didn't happen, but someone did try to breach it and a verification code was sent to your phone and they are out of luck. Maybe. I mean, the technology is getting better and better and data breachers have a lot more tools at their disposal nowadays, so I wouldn't be surprised.

Or yet a random guessing? Not sure though the breacher possibly trying to check out whose active with those accounts that they have been pentrared and somehow get a way to do some malicious trick over the Internet and eventually used it and scam others.

Damn if this kind of hacking is quite advance means everyone is on danger.

[hugeblack]

There are many assumptions that are better than hacking. For example, when you visit any site and add your number with "Accept cookies," it will appear to them that you have logged in or registered in coinbase, and therefore they can use it to access your account and try to either guess the password or just someone typed the number wrong.

In short, avoid sharing your number on any social media or at least allocate two numbers (personal & public number) for it.

[OgNasty]

LOL.  "Don't share this code with anyone."  Puts code on the internet...

[sunsilk]

I've experienced that many times in the other websites that I've signed up with my old email. Not surprising that probably someone has merged and taken your email elsewhere that they've hacked and tried it to Coinbase and any other exchanges that you probably have registered.

Do you remember other websites where you've signed up that email you've used for that Coinbase account?

[dkbit98]

Could it be a random coincidence, is there a way to see my recent login locations on Coinbase?

Did you receive this message on your phone number as sms or on your email address?
Look for the source of sender (his number or email address) and contact Coinbase support.
This could mean that your information got leaked, and it doesn't have to be connected with your Coinbase account, maybe you purchased ledger hardware wallet or you got pwnd in some other way.

[Ultegra134]

Thank you for all your responses, I appreciate each and every one of you for spending time to reply here. Okay, now I have both good and bad news. Firstly, starting with the bad news, my first assumption was correct, it's pretty safe to say that I've been pwned and some data of mine have been breached (see attached photo).


The good news, however, is that it's by an old email address, which I rarely use now, but does indeed still feature some websites I still use (such as Bitcointalk, old Coinbase account, Blockchain.com wallets). It's safe to say, that I need to take some precautions, despite the associated email address being old.

[DdmrDdmr]

<…>

It’s quite likely that your email, old as it may be, has been involved in some data breach somewhere, possibly with an associated password, and that this data is being used to try to see if you’ve used the login/password on Coinbase. Those multiple attempts from different IPs might point to different users of the hypothesised data list, or different attempts with variations on the password (+ shifting IP). This is of course my speculation on the information shown on the log. Also the source for the failes attempts is API, which I figure is used on attack vectors often.

If you are unsure if you’ve actually reused passwords here and there, it’s best to change the credentials of those sites where you were using that email (perhaps best anyway), whether they have 2FA active or not.

[Ultegra134]

<…>

It’s quite likely that your email, old as it may be, has been involved in some data breach somewhere, possibly with an associated password, and that this data is being used to try to see if you’ve used the login/password on Coinbase. Those multiple attempts from different IPs might point to different users of the hypothesised data list, or different attempts with variations on the password (+ shifting IP). This is of course my speculation on the information shown on the log. Also the source for the failes attempts is API, which I figure is used on attack vectors often.

If you are unsure if you’ve actually reused passwords here and there, it’s best to change the credentials of those sites where you were using that email (perhaps best anyway), whether they have 2FA active or not.

Yeah, my childhood/teenage mistakes. It's one of the first emails I created and used daily for most of my signups. I submitted it on the website a previous poster mentioned, and it has been pwned multiple times, it's associated with more than 12-14 data leaks. I've changed my password since then, obviously. My guess is that they're trying to see if they can gain access to popular websites, especially those that are financial institutions.

[HCP]

Indeed, that SMS message is from someone attempting to login or reset your password etc.

So, it seems someone has got to your email/login details as they work through the data dumps from the many, many security breaches   They'll have scripts setup to test each one and see if they're still valid and/or work on other websites as well... Don't be too surprised if you start getting more "Password reset" links or other security warnings from various places.

[JeromeTash]

The good news, however, is that it's by an old email address, which I rarely use now, but does indeed still feature some websites I still use (such as Bitcointalk, old Coinbase account, Blockchain.com wallets). It's safe to say, that I need to take some precautions, despite the associated email address being old.

I have had my login data get leaked before due to a data breach on one of the forums. You might want to check all the old site you registered using the old email address and password. This includes other important sites/apps like Dropbox, Google Drive, Spotify accounts, Amazon or any other account that may be connected to your PayPal or credit card etc

That where most hackers look into apart from the crypto exchanges and web wallets

[Ultegra134]

The good news, however, is that it's by an old email address, which I rarely use now, but does indeed still feature some websites I still use (such as Bitcointalk, old Coinbase account, Blockchain.com wallets). It's safe to say, that I need to take some precautions, despite the associated email address being old.

I have had my login data get leaked before due to a data breach on one of the forums. You might want to check all the old site you registered using the old email address and password. This includes other important sites/apps like Dropbox, Google Drive, Spotify accounts, Amazon or any other account that may be connected to your PayPal or credit card etc

That where most hackers look into apart from the crypto exchanges and web wallets

I've changed most of them, at least the important ones, such as PayPal and Amazon, not sure if I've left anything useful there, except some email/shop subscriptions. The only one I haven't changed is Bitcointalk, because it firstly flags your account that the email has been changed, and secondly, because I've quite recently changed the password here, while I've also done it in the past, so there's no risk involved.

[tranthidung]

You can check your email

• Haveibeenpwned.com. Enter your email address and check if your email address is in a data breach
• [Guide] How to know if your email address was part of any data breach. If you don't know how to use that website, read this guide.

It does not directly show your Coinbase account was compromised because of your data was breached but if your email was breached, something bad would happen.

[Ultegra134]

You can check your email

• Haveibeenpwned.com. Enter your email address and check if your email address is in a data breach
• [Guide] How to know if your email address was part of any data breach. If you don't know how to use that website, read this guide.

It does not directly show your Coinbase account was compromised because of your data was breached but if your email was breached, something bad would happen.

Thank you for sharing this guide, never knew that such feature was actually provided by Google. It claims that I've got 12 compromised passwords, while a handful of reused passwords. Fortunately, the compromised ones weren't on any significant website, however, I'll need to start updating my passwords, just to be on the safe side.

[DdmrDdmr]

<…>

Since your data seems to have been pawned, it is prone to being used for all sorts of things (hacking, phishing, spamming, etc.), rather than just change passwords, it may pay off better to consider creating new emails and starting afresh, rethinking your email/credential strategy (i.e. how many emails to use and where + password manager + 2fa), and changing the credentials on the relevant sites.

I’ve gone through the above quite a few times, and although it’s cumbersome to change credentials on a wide range of sites, it’s something I try to do recurrently (done it with the phone number a few times too, although that has other implications).

[Ultegra134]

<…>

Since your data seems to have been pawned, it is prone to being used for all sorts of things (hacking, phishing, spamming, etc.), rather than just change passwords, it may pay off better to consider creating new emails and starting afresh, rethinking your email/credential strategy (i.e. how many emails to use and where + password manager + 2fa), and changing the credentials on the relevant sites.

I’ve gone through the above quite a few times, and although it’s cumbersome to change credentials on a wide range of sites, it’s something I try to do recurrently (done it with the phone number a few times too, although that has other implications).

That was the main reason I created a new email, quite a few years ago, and is now my main one. There are little accounts that I frequently use, associated with the old email, while I've proceeded and changed the password in most of them. It's just startled me to receive such a text message on my phone, I don't recall adding it back then, because I possibly had an older number. I must have added it a few months ago, in an attempt to retrieve my old Coinbase account, in case it had any funds deposited.

[Ultegra134]

Okay, this is getting rather annoying, second text I receive within a week, at approximately 6 am in the morning. Because I'm definitely bound to receive more of these texts, is there an actual way to permanently delete my account on Coinbase?

[DdmrDdmr]

<…>

I’m not sure I’m following the situation properly now. I figure you’ve got full control over the account, changed the password, but preserved de associated email.

One way to go would be to precisely change the email linked to the account, replacing it with a clean one that is not going to belong to any spam/hack lists around.

If you simply want to close the account, the procedure is described here:
https://help.coinbase.com/en/coinbase/managing-my-account/update-my-account/how-can-i-close-my-account

[Lucius]

@Ultegra134, recently there was one thread in which someone described exactly this method, and it is about hackers coming into possession of your login data, and all they need is 2FA code. In an attempt to deceive the user they do the following :

How do they do that? They send you a phishing text messages stating your account may have been compromised, and request that you text-reply the authorization code you are about to receive to confirm your identity. The bad guys then attempt a login to the target website using your username/password. That login triggers a text message to you containing the authentication code.

The bad guys now send another phishing text to your phone requesting that authentication code sent by the website. If you fall for this phishing attempt and text the authentication code back to the bad guys, they immediately enter that code, finalize the login for that target website and immediately change the password/security/phone numbers associated with that account. You are now locked out of your account and they have it for their use!

In addition to changing the e-mail and password on that exchange, you can also try to block the number from which these messages come from or turn off 2FA on the exchange.

[Ultegra134]

<…>

I’m not sure I’m following the situation properly now. I figure you’ve got full control over the account, changed the password, but preserved de associated email.

One way to go would be to precisely change the email linked to the account, replacing it with a clean one that is not going to belong to any spam/hack lists around.

If you simply want to close the account, the procedure is described here:
https://help.coinbase.com/en/coinbase/managing-my-account/update-my-account/how-can-i-close-my-account

Now that you're mentioning, I can't actually recall changing the password last time I logged in, I'm pretty sure I did a stupid, and actually forgot to change the password. However, I'm still going to proceed closing the account, since it's already associated with a compromised email address.

Thank you.

@Ultegra134, recently there was one thread in which someone described exactly this method, and it is about hackers coming into possession of your login data, and all they need is 2FA code. In an attempt to deceive the user they do the following :

How do they do that? They send you a phishing text messages stating your account may have been compromised, and request that you text-reply the authorization code you are about to receive to confirm your identity. The bad guys then attempt a login to the target website using your username/password. That login triggers a text message to you containing the authentication code.

The bad guys now send another phishing text to your phone requesting that authentication code sent by the website. If you fall for this phishing attempt and text the authentication code back to the bad guys, they immediately enter that code, finalize the login for that target website and immediately change the password/security/phone numbers associated with that account. You are now locked out of your account and they have it for their use!

In addition to changing the e-mail and password on that exchange, you can also try to block the number from which these messages come from or turn off 2FA on the exchange.

That's not exactly the case, this is actually an text from Coinbase, provided that I don't want to use Coinbase, I could potentially be okay by blocking the number.