Malicious actors reportedly took advantage of Coinbase’s SMS account recovery process to gain access to user funds.
Cryptocurrency exchange Coinbase has reportedly suffered another security breach after attackers were able to bypass the company’s multi-factor authentication, or MFA, feature in a coordinated campaign earlier this year.
The attackers stole cryptocurrency from 6,000 accounts, though the monetary value of the theft wasn’t disclosed, according to a report from Bleeping Computer. Earlier this week, Coinbase reportedly notified affected customers that the theft occurred between March and May.
To gain access to the accounts, the attackers must have known the affected users’ email address, password and phone number. It’s not clear how the attackers obtained this information, though phishing scams targeting exchange users are not uncommon. However, Coinbase did identify a vulnerability in the account recovery process that the attackers exploited to gain access to the accounts:
“In this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account.”
Coinbase, which operates one of the largest crypto exchanges in the world, has received scathing criticism for its poor customer service. As Cointelegraph reported, customers whose accounts were reportedly hacked and drained of funds were unable to access support staff, leading to thousands of complaints against the company.
Related: SEC was the only regulator unwilling to meet with Coinbase: Brian Armstrong
Coinbase’s initial public offering debuted at $86 billion in April, but the company has been unable to scale its customer service department adequately. In August, the company announced a new support line for customers who believe their account has been compromised.