Kucoin Twitter account hacked, $22k lost

[Rikafip]

As you can see from the screenshots below, Kucoin Twitter account giot hacked last night and attacked managed to get $22k from unsuspected Kucoin followers. Luckily they regained the control after ~45 minutes so loss is not too big, but its still an embarassment, especially since they allegedly had 2FA enabled as well.



https://twitter.com/kucoincom/status/1650336619730436099?s=46&t=3zlK3OjWylVjTyH2vaBQHA

[Oshosondy]

It is a shame, we know how follows can be scammed if such account is hacked because their followers can believe what the hacker is tweeting and be lured.

But people should be very careful too, so people that have experience and know about this type of scam can easily be suspecting that the account as been hacked because the hackers can tweet that people should pay certain amount of money to receive double, or asking for what that can result to money loss from you which any Kucoin official will never ask.

It is a shame on Kucoin because the exchange failed to protect its official Twitter account, but also humans should have the experience to stop being greedy. As for me, I can not fall for this cheap scam, it is even not a new scam.

[rat03gopoh]

Kucoin had to make unnecessary expenses due to the negligence of social media managers. The return allocation is quite large if it is used for visibility for several days.

It is a shame on Kucoin because the exchange failed to protect its official Twitter account, but also humans should have the experience to stop being greedy. As for me, I can not fall for this cheap scam, it is even not a new scam.

It is unexpected for followers that they will be scammed, after all Twitter is a medium which is quite actively used for legitimate giveaways.

[Accardo]

Isn't it supposed to be an inside job, since they claim without any proofs that they had twitter 2fa enabled? Aside that, I don't think they had twitter 2FA enabled and they've just enabled it after the hack. Kucoin must have focused their security on the exchange and didn't bother much about their twitter account. Well according to this source the scammers also received 4 ETH in this address 0xd1cd69FCC79fC46B4BBe1AAF2a05F1f014F53965 added to the 22k USDT

[Rikafip]

Isn't it supposed to be an inside job, since they claim without any proofs that they had twitter 2fa enabled?

If it was an inside job, then it was a pretty bad one. 22k is nothing compoared to some bigger hacks and somehow I doubt that someone from Kucoin would risk so much for so little. By the way, how exactly could they prove that they had 2FA enabled? You either belive what they claim, or not.

Aside that, I don't think they had twitter 2FA enabled and they've just enabled it after the hack. Kucoin must have focused their security on the exchange and didn't bother much about their twitter account.

Contrary to popular belief 2FA is not impenetrable, especially if they used mobile phone number.

[carlfebz2]

As you can see from the screenshots below, Kucoin Twitter account giot hacked last night and attacked managed to get $22k from unsuspected Kucoin followers. Luckily they regained the control after ~45 minutes so loss is not too big, but its still an embarassment, especially since they allegedly had 2FA enabled as well.

Anything on this online world could really be hacked and this is why any tweets and words came from known platforms or person
wont really be that 100% that you could trust up but in just on some personal opinion about on how common sense does work on each individual then it would
really be that impossible that you couldnt spot out that there's something wrong.

Isn't it supposed to be an inside job, since they claim without any proofs that they had twitter 2fa enabled? Aside that, I don't think they had twitter 2FA enabled and they've just enabled it after the hack. Kucoin must have focused their security on the exchange and didn't bother much about their twitter account. Well according to this source the scammers also received 4 ETH in this address 0xd1cd69FCC79fC46B4BBe1AAF2a05F1f014F53965 added to the 22k USDT

I have this kind of thought too which this might be an inside job or possibly considering that Twitter account cant be possibly be that hacked so easily unless twitters security measures are shit
but thats not the case because there's no way that it could be bruteforced out and of course they wouldnt really be that careless unless if theres some inside job
who do knows but its mind boggling that it didnt last that long. 

[PX-Z]

What a shame, but still kudos reimbursing the users affected. I don't know how their handle was hacked, isn't 2fa is forcedrequired to every verified handle in twitter? How is it possible though to breach 2fa?

Contrary to popular belief 2FA is not impenetrable, especially if they used mobile phone number.

I guess sms 2fa is not available on twitter, i remember elon doesn't like 2fa and keep tweeting it previously.

[yhiaali3]

Hacks always happen, the good thing this time is that the losses are not very big because the account was restored after a short period, also that Kucoin will compensate the affected users.

Hacking the account with 2FA enabled is not impossible, but it also indicates the possibility that the perpetrator is one of Kucoin's employees, but there is no evidence of such a possibility.

The important thing from this lesson is that users learn not to trust suspicious statements, even if they are from the official account, because it may be hacked in such a case.

[Potato Chips]

I don't know how their handle was hacked, isn't 2fa is forcedrequired to every verified handle in twitter? How is it possible though to breach 2fa?

Assuming it's not an inside job and the 2fa is not SMS, simplest way would be to launch a phishing attack to one of their twitter handlers. Even the strong password + TOTP combo would be rendered useless once an employee bites.

It's also possible the perps may just be mass sending phishing emails and SMS to leaked phone numbers/email and one of them happened to have access to kucoin's twitter account

[Rikafip]

I guess sms 2fa is not available on twitter, i remember elon doesn't like 2fa and keep tweeting it previously.

As a matter of fact, 2FA via SMS is available on Twitter (they have two more: authentication app and security key) and since SMS one is easiest to hack, my guess is that attacker did exactly that. We can only guess though since I doubt Kucoin will release more info on how exactly they lost control over their Twitter account.

The important thing from this lesson is that users learn not to trust suspicious statements, even if they are from the official account, because it may be hacked in such a case.

To be honest, I am surprised that more people didn't fall for this scam attempt and that only $22k was lost. Rest assured, people didn't learn much (if anything) from this and if it happens again people will lose more money.

[Smack That Ace]

Hacking the account with 2FA enabled is not impossible, but it also indicates the possibility that the perpetrator is one of Kucoin's employees, but there is no evidence of such a possibility.

I'm no tech expert, but hacking 2FA isn't easy. I am also very confused with this, even 2FA is easily broken, do we have a more secure solution for our accounts? I read this today, and I also suspect that the Kucoin staff did this and did not get hacked.
If hackers can attack 2FA-enabled accounts, why don't they choose Binance, Coinbase... the bigger exchanges, and even Elon's account. They only target smaller accounts, which makes me more suspicious this is done by company employees than hackers.

[yhiaali3]

I'm no tech expert, but hacking 2FA isn't easy. I am also very confused with this, even 2FA is easily broken, do we have a more secure solution for our accounts? I read this today, and I also suspect that the Kucoin staff did this and did not get hacked.
If hackers can attack 2FA-enabled accounts, why don't they choose Binance, Coinbase... the bigger exchanges, and even Elon's account. They only target smaller accounts, which makes me more suspicious this is done by company employees than hackers.

Hacking 2FA is hard but not impossible, but this varies depending on the conditions Service, some of them have a strict policy in this regard, but others unfortunately suffice with an email or SMS for the linked account.

Unfortunately for Twitter, after the Elon Musk takeover, there is a huge flaw in two-factor authentication because Elon Musk announced plans to prevent people from using SMS-based two-factor authentication to secure their accounts — unless they start paying for a Twitter Blue subscription.

Elon Musk's latest Twitter ownership bizarre move compromises the security of millions of accounts. On February 17, Twitter announced plans to block people from using SMS-based two-factor authentication to secure their accounts — unless they start paying for a Twitter Blue subscription. However, there are safer, free, and easier ways to continue protecting your Twitter account with two-factor authentication.

The full article can be read here:
How to Protect Yourself From Twitter’s 2FA Crackdown
https://www.wired.com/story/twitter-2fa-sms-alternatives-twitter-blue/

[Rikafip]

I'm no tech expert, but hacking 2FA isn't easy. I am also very confused with this, even 2FA is easily broken, do we have a more secure solution for our accounts?

2FA is good enough as long as you don't use SMS option.

If hackers can attack 2FA-enabled accounts, why don't they choose Binance, Coinbase... the bigger exchanges, and even Elon's account. They only target smaller accounts, which makes me more suspicious this is done by company employees than hackers.

And who says that they are not trying? Its one thing to try to hack 2FA and entirely different thing to actually succeed in it, and bigger the account (presumably) better the protection. Btw, Kucoin Twitter account is far from small.

Unfortunately for Twitter, after the Elon Musk takeover, there is a huge flaw in two-factor authentication because Elon Musk announced plans to prevent people from using SMS-based two-factor authentication to secure their accounts — unless they start paying for a Twitter Blue subscription.

Its a douchebag move for sure, but Elon is inadvertently doing them a favor by making them move from SMS based one since its the least secure form of 2FA.

[TopTort777]

So how exactly people have lost those 22k? With famous "Elon Musk donation" scam, that was and still popular in YouTube? It is unbelievable how people still got caught for that. Of course that is due to greed, but KuCoin and Twitter are also responsible for letting that happen.

Since people pay more than a thousand bucks per month for that golden twitter mark, I believe that twitter should take park of responsibility for such lame security options. Otherwise Twitter service does not look to worth so much to be paid.

[Dr.Bitcoin_Strange]

At least it's good that they gain access back on time; the $22k loss is huge too, but it would have been worse had it extend to $$ billion, which may have even resulted in their exchange collapse. Mostly, these reasons are why Bitcoiners are advised not to keep their assets on CEX unless active traders, like future traders.

2FA is good enough as long as you don't use SMS option

So practically, Google 2FA is the best? or one can even enable the three types of 2FA if possible, such as SMS, email, and Google 2FA?

[tabas]

This made me remember the hack that has also affected a lot of Twitter users that have followed the advice of those known personalities to deposit into certain address and that was made by just a young one. Although for some standards, 45 minutes of getting back the account was still a nice gesture and refunding all of those verified funds that has been sent by the victims is the best that they can. These hackers may soon not gonna target users directly but these huge accounts from official exchanges or personalities which is gonna make everyone gullible since they're known.

2FA is good enough as long as you don't use SMS option

So practically, Google 2FA is the best? or one can even enable the three types of 2FA if possible, such as SMS, email, and Google 2FA?

Others are using Authy and yes, through SMS and email can easily be accessed by hackers once your data has been breached. There's this known sim-swap attack that does the thing.

[dkbit98]

As you can see from the screenshots below, Kucoin Twitter account giot hacked last night and attacked managed to get $22k from unsuspected Kucoin followers. Luckily they regained the control after ~45 minutes so loss is not too big, but its still an embarassment, especially since they allegedly had 2FA enabled as well.

Well they have ''blue checkmark'' sign of ''trust'' and because of that brainwashed people are going to send money to scammers without thinking, because thinking is luxury and it's hard  
It was stupid mistake by Kucoin admins, but I wouldn't say 22k is small amount for 45 minutes of control, imagine the damage they would do if they had 24 hours or more control...

[Potato Chips]

So practically, Google 2FA is the best? or one can even enable the three types of 2FA if possible, such as SMS, email, and Google 2FA?

Compared to SMS and email, TOTP/auth app is way better however, I suggest Aegis rather than Google Auth. It offers encryption, easier import/export function and less likely to be neglected by devs, see: https://getaegis.app/

Looks like you can enable more than one 2fa but I suggest not connecting any phone number in your account since it could be used to reset your password. It wouldn't be advisable to be careless about our passwords just because we have 2fa. I also suggest using an email provider where you can pair your account with TOTP.

[Rikafip]

Well they have ''blue checkmark'' sign of ''trust'' and because of that brainwashed people are going to send money to scammers without thinking, because thinking is luxury and it's hard  

To be more precise, Kucoin twitter account has that golden/yellow mark that is reserved for businesses, but even without that mark people would still send the money as its posted from the official Kucoin account. But yeah, thinking is hard. 

It was stupid mistake by Kucoin admins, but I wouldn't say 22k is small amount for 45 minutes of control, imagine the damage they would do if they had 24 hours or more control...

Dunno, considering how big and popular Kucoin is I think that they should be lucky that only 22k was lost. They said that they will reimburse the loss so lets hope they actually do that.

[joniboini]

So how exactly people have lost those 22k? With famous "Elon Musk donation" scam, that was and still popular in YouTube? It is unbelievable how people still got caught for that. Of course that is due to greed, but KuCoin and Twitter are also responsible for letting that happen.

According to some news, when the hacker was in control of the Kucoin account they tweeted some phishing websites. So it is safe to assume some users assume it was a legit one, connect their hot wallet to it, and then they lost their funds. I can't verify it myself, but there have been many similar phishing scams in the past, so it is not unlikely. People should've learned by now to never connect their account/wallet to some shady website even if it was posted by a famous account.