Coinbase reported that it was the victim of a complex hack that saw cryptocurrency stolen from the wallets of some 6,000 customers. The hack exploited a vulnerability in the company’s multi-factor authentication feature.
Affected customers will be reimbursed, and Coinbase says it has patched the vulnerability that allowed for the hack.
Good and bad — The good news is that Coinbase says all affected customers should be reimbursed within a day. The bad news is that in order for the hack to work, the threat actors needed to already know a user’s email address, password, and the phone number associated with the account, and have access to the victim’s email account. So anybody who lost their funds will need to update a lot of information to secure their other online accounts.
Coinbase believes that the hackers acquired all of this sensitive information through a phishing attack, essentially fake emails and webpages that trick users into providing their login credentials. But that the hackers were also able to identify a vulnerability in Coinbase’s security is concerning. Multi-factor authentication is thought of as the gold standard, as someone might have your login credentials, but they still cannot access your account unless they have access to your phone to receive a one-time code. Apparently the hackers, in this case, found a way to receive the code themselves.
Custodial wallet — At least customers will be refunded. That’s one of the benefits of using a “custodial wallet” to store your cryptocurrency, rather than leaving it on a USB drive or other self-serviced option. A company like Coinbase has insurance that protects against cybersecurity breaches — though it’s not as good as government-backed FDIC insurance, which doesn’t cover cryptocurrency.
Attacks on cryptocurrency exchanges are likely to increase as the value of the digital currencies continues to balloon. That means you need to be extra careful responding to any emails that claim to come from an exchange like Coinbase but might not actually. Coinbase might be able to refund customers in this instance, but in general, cryptocurrencies are less protected because the U.S. government doesn’t recognize them as legitimate.