Thousands of Coinbase Users Robbed After Hackers Exploit MFA Bug

At least six thousand Coinbase users had their cryptocurrency stolen out of their digital wallets after threat actors managed to trick the multi-factor authentication system used by the platform.

Coinbase sent out a formal notification, informing any and all affected customers of the incident. The official document was also submitted with the Attorney General's office in the state of California, ThreatPost reported. According to the filing, the incident took place sometime in the spring of 2021.

The loophole that the bad actors managed to exploit was related to the multi-factor authentication implementation Coinbase is using. The hackers abused a bug in the process used by legitimate users to recover their accounts and captured multi-factor authentication tokens that allowed them to crack accounts open and funnel cryptocurrency from the victims' wallets and into cryptocurrency accounts and wallets that are not connected to Coinbase.

The thing is, in order to be able to capture the authentication tokens, the crooks first needed some way to obtain additional information about the victims, including their emails, phone numbers and passwords.

According to Coinbase, the hackers did not obtain those bits of personal information through some sort of breach of the platform's security. While Coinbase isn't sure how exactly it happened, it believes its systems and security are not to blame. This leaves the probability of phishing, which Coinbase also suggested as a possible option.

This does not sound too unlikely, as attempts to phish out Coinbase users have been ramping up throughout 2021. The platform reported what it calls a "significant uptick" in phishing targeting Coinbase users. Those phishing campaigns seem to be well-tailored and good at evading automated defenses too, according to the cryptocurrency exchange.

ThreatPost further elaborated that while the hackers could have used a number of ways to snatch the personal details of the victims in this latest instance of theft, but they still abused a flaw in the SMS MFA recovery process used by Coinbase. The platform's official recommendation is to use a dedicated temporary password app.