Coinbase' flawed MFA led to threat actor breach

Famous cryptocurrency exchange platform Coinbase underwent a cyber threat, breaching 6,000 accounts by detouring around the platform’s security feature.

Coinbase informed thousands of its users that the company detected a “third-party campaign to gain unauthorized access to the accounts of Coinbase customers and move customer funds off the Coinbase platform.”

On Friday, Bleeping Computer sparked attention that Coinbase has previously revealed a malicious actor managed to steal cryptocurrency from 6,000 users. The threat actor managed to gain access to the accounts by utilizing a vulnerability to bypass the platform’s Multi-Factor Authentication (MFA) security feature.

As the world’s second most used cryptocurrency exchange platform, Coinbase accommodates around 68 million users globally. 

“In order to access your Coinbase account, these third parties first needed prior knowledge of the email address, password, and phone number associated with your Coinbase account, as well as access to your personal email inbox. While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor,” Coinbase informed involved customers in a letter. 

“We have not found any evidence that these third parties obtained this information from Coinbase itself. Even with the information described above, additional authentication is required in order to access your Coinbase account. However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account. Once in your account, the third party was able to transfer your funds to crypto wallets unassociated with Coinbase,” the letter added. 

Once the company discovered the attack, Coinbase disclosed that they did their very best to keep the situation at hand and under control by fixing the “SMS Account Recovery protocols,” a move that will prohibit any bypass on the platform’s multi-factor authentication.

It seems that Coinbase’s servers managed to admit the bug, which permitted threats actors to gain access to what was believed to be secured user accounts. In this case, the exchange happened by depositing funds in affected accounts, which later were discovered to be equivalent to the stolen amount. 

The malicious actor had full access to a bundle of data, including accounts, customers’ personal information such as full name, email address, home address, date of birth, IP address for account activity, transaction history, account holdings, and balances. 

As for the users affected by the malicious cyberattack, Coinbase recommends its userbase to use a strong password, whether they were exposed to the breach or not. Also, the platform’s new security guidelines endorse the adoption of a more reliable and safer MFA approach to safeguard their credentials, such as a hardware security key or downloading an authentication app.