Coinbase has released a breach notification letter this week saying that a minimum of 6,000 user accounts were victim to hackers. The exchange has stated that the breach took place between March and May of this year.
What We Know
The letter notes that unauthorized third parties exploited Coinbase’s SMS account recovery process and transferred user funds to accounts outside of Coinbase. However, the company added that in order to do so, those third parties needed to have email addresses, passwords and phone numbers – as well as email access.
Coinbase believes that users fell victim to a phishing attack, or some sort of equivalent, in order to have this information exposed, and that there was no evidence to support that the information was taken directly from Coinbase. The exchange states that account recovery protocols around SMS were updated after Coinbase discovered the issue.
The letter closes that some accounts have already been reimbursed and that all accounts would be fully compensated equal to any losses incurred. The letter was also posted on the California Attorney General website.
While the amount of hacked crypto has not been disclosed, Coinbase’s immediacy in restoring user funds is reassuring, but comes at a time where a number of stories have been hitting the headlines around hacks and vulnerabilities.
In recent days, Compound Finance issued a governance rule that had a small piece of faulty code that resulted in inappropriate token distribution, putting over $80M worth of COMP tokens at risk. Just a few days prior, DeFi protocol pNetwork lost over $12M to hackers.
It’s also not the first sticky situation for Coinbase recently, either. Last week, pressure from the Securities and Exchange Commission (SEC) was enough to totally sideline the company’s anticipated interest-generating product, Lend. That came just a few weeks after a blog post and corresponding long-winded tweet thread from Coinbase CEO Brian Armstrong, expressing frustration in communications with the SEC, and describing the agency as “sketchy.”
Additionally, the major crypto exchange has faced challenges with the impacts of potential infrastructure legislation and USDC drama in recent months.
Crypto’s safety and security has substantially improved over time, but that doesn’t mean that no one is vulnerable. Always use two-factor authentification, ideally via an authenticator, never share your seed phrase, use platforms that you trust, and be on the lookout for suspicious emails that may be trying to phish.