Cryptocurrency giant Coinbase revealed that “at least 6,000 Coinbase customers had funds removed from their accounts” as a result of a recent phishing campaign that saw hackers get around an SMS-based authentication feature the company used to secure many accounts.
News of the phishing campaign was first reported in August, but the scope of it only became clear after a letter the company sent to affected customers began to circulate.
In the letter, Coinbase says hackers gained access to victims’ email accounts, and then used those compromised accounts in order to drain those users’ cryptocurrency. Even though Coinbase requires a widely-used security feature called “two-factor authentication,” the SMS version of this—in which users receive a text message to confirm a transaction—broke down.
“However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account,” says the letter.
Coinbase also says it will reimburse those who lost funds as a result of the phishing attack, and that it has already begun to make customers whole. The company did not disclose the total amount the hackers stole.
The incident did not amount, as some have reported, to Coinbase getting hacked since the hackers do not appear to have breached the company’s internal systems. Instead, the robberies came about because customers fell for phishing attacks aimed at their personal email—an extremely common occurrence.
It’s unclear, though, why Coinbase took so long to acknowledge the incidents, which took place over a period from March to May. While the company published a blog post earlier this week describing a sophisticated phishing campaign, it did not disclose that hackers had used it to successfully rob thousands of customers. Nor does Coinbase appear to have done anything to warn its customer base at the time the attacks were underway, or even in the following months.
According to a Coinbase spokesperson, the company did not want to interfere with law enforcement agencies investigating the incident.
“Because of the size, scope and sophistication of the campaign we have been working with a range of partners, law enforcement agencies and other stakeholders to understand the attack and develop mitigation techniques. We didn’t feel comfortable disclosing the attack publicly until the correct steps were taken to ensure that it couldn’t be repeated successfully, and would not compromise the integrity of law enforcement investigations,” said the spokesperson.
The attacks appear to have been global in nature, as the Coinbase letter says it will provide credit monitoring services in “your country of residence.”
Coinbase also urged customers to switch to a more secure form of two-factor authentication such as an external hardware device or an authenticator app.