Don’t blame Coinbase for huge social engineering hack, says Coinbase

Coinbase has disclosed a sweeping social engineering attack that compromised 6,000 accounts — but it says it's not to blame.

Hackers attempted to steal cryptocurrency from around 6,000 Coinbase accounts using a social engineering campaign waged in the first half of 2021.

Coinbase — touted as the top US crypto exchange — recently notified users to make them aware of the situation, according to Techspot.

Hackers leveraged Coinbase’s own security protocols to skirt the exchange’s multi-factor authentication procedure and steal crypto from customer accounts.

  • The attacks took place between the beginning of March and May 20.
  • Hackers acquired a two-factor authentication token via a phishing campaign directed at Coinbase employees.
  • Coinbase said it has started to refund affected users.

Hackers took advantage of a “flaw” in Coinbase’s SMS Account Recovery process which handed them a two-factor authentication token via text.

This in turn gave the culprits access to thousands of Coinbase accounts — and their crypto. No word yet on the amount of funds lost to the scheme.

Coinbase, famous for its poor customer service, set up a hotline for clients who had their accounts drained.

Coinbase says it didn’t give up the info

Social engineering attacks directed at large companies often garner access to protected information by tricking employees into believing they’ve been contacted by a senior staff member.

Much like the Coinbase plot, bad actors then use the information to access password-protected user accounts.

In a letter, Coinbase told affected users: “While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor.

“We have not found any evidence that these third parties obtained this information from Coinbase itself,” added the Delaware-headquartered exchange.

Read more: [Coinbase hit with another class action — this time over locked accounts]

According to Coinbase, the hackers must’ve had “prior knowledge of the email address, password, and phone number associated with an account.” They also needed access to a personal email inbox.

The same letter advised users of ways to secure their accounts, including hardware authentication and authentication apps.

Social engineering, so hot right now

Coinbase aside, some of the largest internet giants have fallen victim to social engineering attacks.

In July 2020, a fresh-faced team of teen hackers directed a similar social engineering campaign toward Twitter.

They phished their way into Twitter’s back-end systems, gaining control of around 130 verified accounts tied to celebrities including Jeff Bezos, Kanye West, and Barack Obama, as well as prominent companies like Apple.

The hackers appeared to have leveraged their newfound followings to swindle hundreds of Twitter users out of more than $100,000 in Bitcoin with a giveaway scam.

Read more: [Bitcoin.org hackers peddled BTC giveaway scam similar to Twitter heist]

So far, authorities have detained four of the Twitter hackers. The scam mastermind will serve time in juvie.

Crypto phishers have used false Ledger wallets to trick unwitting investors into sending their crypto straight to addresses controlled by bad actors.

Follow us on Twitter for more informed crypto news.

Join our newsletter and get crypto news in your inbox

Newsletter

© 2021 Protos