Coinbase is sending out breach notification letters to thousands of users after they discovered a "third-party campaign to gain unauthorized access to the accounts of Coinbase customers and move customer funds off the Coinbase platform."
There's promise and peril in the still-evolving world of cryptocurrencies such as Bitcoin and Ether.
Read nowFirst reported by Bleeping Computer, the letters say at least 6,000 Coinbase customers had funds removed from their accounts.
"In order to access your Coinbase account, these third parties first needed prior knowledge of the email address, password, and phone number associated with your Coinbase account, as well as access to your personal email inbox. While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor," Coinbase told affected customers in the letter.
"We have not found any evidence that these third parties obtained this information from Coinbase itself. Even with the information described above, additional authentication is required in order to access your Coinbase account. However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase's SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account. Once in your account, the third party was able to transfer your funds to crypto wallets unassociated with Coinbase."
Coinbase has faced significant backlash and criticism since a groundbreaking report from CNBC this summer found that thousands of people had suffered from similar account takeovers and saw money vanish from their accounts.
When they contacted Coinbase for help, they were either ignored or hit with flippant responses that it was not the company's fault they lost money. For some time Coinbase had no customer service at all.
One couple, Mindaugas and Loreta from Horsham, Sussex, UK, lost more than$20,000 in a Coinbase phishing scam. The two said scammers pretended to work for Binance and Coinbase before breaking into the couple's account and transferring their cryptocurrency to a private wallet.
The couple contacted researchers with CyberNews for help after their attempts to get help from Coinbase were ignored.
"At first, we thought it might be some kind of mistake or a glitch. But since their knowledge base had no option that covered any bugs or glitches, we decided to inform Coinbase that my husband's account has been compromised. But all we got back was a password reset request," Loreta said.
The scammers doubled down on the attack, sending them a password reset for the Binance platform, where the couple also had purchased cryptocurrency. The scammer called the couple to gain their account information for Binance.
"He said 'We see that you have an account at Binance and since Coinbase and Binance are sister companies...' And that's when I saw he was trying to dupe us. Next thing I hear, he's telling us to prove our identity either by transferring