Coinbase is sending out breach notification letters to thousands of users after they discovered a "third-party campaign to gain unauthorized access to the accounts of Coinbase customers and move customer funds off the Coinbase platform."
First reported by Bleeping Computer, the letters say at least 6,000 Coinbase customers had funds removed from their accounts.
"In order to access your Coinbase account, these third parties first needed prior knowledge of the email address, password, and phone number associated with your Coinbase account, as well as access to your personal email inbox. While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor," Coinbase told affected customers in the letter.
"We have not found any evidence that these third parties obtained this information from Coinbase itself. Even with the information described above, additional authentication is required in order to access your Coinbase account. However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase's SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account. Once in your account, the third party was able to transfer your funds to crypto wallets unassociated with Coinbase."
Coinbase has faced significant backlash and criticism since a groundbreaking report from CNBC this summer found that thousands of people had suffered from similar account takeovers and saw money vanish from their accounts.
When they contacted Coinbase for help, they were either ignored or hit with flippant responses that it was not the company's fault they lost money. For some time Coinbase had no customer service at all.
One couple, Mindaugas and Loreta from Horsham, Sussex, UK, lost more than $20,000 in a Coinbase phishing scam. The two said scammers pretended to work for Binance and Coinbase before breaking into the couple's account and transferring their cryptocurrency to a private wallet.
The couple contacted researchers with CyberNews for help after their attempts to get help from Coinbase were ignored.
"At first, we thought it might be some kind of mistake or a glitch. But since their knowledge base had no option that covered any bugs or glitches, we decided to inform Coinbase that my husband's account has been compromised. But all we got back was a password reset request," Loreta said.
The scammers doubled down on the attack, sending them a password reset for the Binance platform, where the couple also had purchased cryptocurrency. The scammer called the couple to gain their account information for Binance.
"He said 'We see that you have an account at Binance and since Coinbase and Binance are sister companies…' And that's when I saw he was trying to dupe us. Next thing I hear, he's telling us to prove our identity either by transferring £5,000 from our Binance account to Coinbase or by giving them our Binance authentication code so that they can transfer the missing £15,000 to my husband's Binance account," Loreta said, noting that after this incident they called the police.
"We're still waiting for an answer. And since 'only' £15,000 was stolen, we're not very hopeful that the police will do anything about it. Right now, all we hope for is that Coinbase takes a hard look at their security procedures and improves them so that situations like ours don't happen to others."
Edvardas Mikalauskas, the senior researcher at CyberNews, told ZDNet that through investigating the case of the couple, they found that the cryptocurrency had been laundered through a series of wallets that made it impossible to figure out where they went.
Mikalauskas said hundreds, if not thousands, of cases like Mindaugas' occur every day and noted that while crypto wallets are unlikely to have the same robust security procedures as a bank, Coinbase could introduce better suspicious or malicious behavior detection techniques and more robust measures to protect user accounts.
"For example, banks commonly use AI to spot malicious behavior and automatically block transactions that look suspicious, then contact the customer for verification. These threat detection techniques should then be supplemented with better customer support relating to account breaches and takeovers, to help customers deal with the issues that result from a scam," Mikalauskas said.
"I wish Coinbase had a protection system in place to refund the lost crypto."
In its breach notification letters, Coinbase said it has updated its SMS Account Recovery protocols so that the authentication process cannot be bypassed.
For the 6,000 US victims referenced in the letter, Coinbase said it would be depositing funds into their accounts equal to the value of the currency removed from their account at the time of the incident.
"Some customers have already been reimbursed -- we will ensure all customers affected receive the full value of what you lost. You should see this reflected in your account no later than today," Coinbase said.
But in addition to the cryptocurrency that was stolen, Coinbase said the cybercriminals who accessed the accounts also saw personal information like names, email addresses, home addresses, dates of birth, IP addresses for account activity, transaction history, account holdings and balances.
Some accounts may have had information changed as well, Coinbase admitted.
They have set up a phone support line at 1 (844) 613-1499 to help those who may have questions. They will also provide free credit monitoring for an undisclosed amount of time for those affected.
Coinbase noted that it is still investigating the incident and is speaking with law enforcement about the issue.