Receive free Coinbase updates
We will send you a myFT Daily Digest e-mail that rounds out the latest Coinbase news every morning.
Hackers stole cryptocurrencies of at least 6,000 customers of the Nasdaq-listed digital asset exchange Coinbase by exploiting a lack of its two-factor authentication system.
The news, first reported by Bleeping Computer, comes just a week after the company had to abandon its plans to launch a new lending product due to the threat of legal action of U.S. security regulators.
According to a letter sent to the clients concerned, which was uploaded to the California Attorney General’s website and dated Friday, the victims were targeted between March and May this year.
The attackers had to know in advance the e-mail addresses, passwords and telephone numbers of the users, as well as access to their e-mail box.
Coinbase said it could not ‘illegally’ determine how it happened, but that it was probably the result of phishing attacks or ‘social engineering’ techniques to trick users into disclosing their credentials.
It said it had found no evidence that this information was obtained from the exchange itself and that attackers had not breached its security infrastructure.
A flaw in the recovery process of Coinbase’s SMS text account means that the accounts using the service were vulnerable to attackers who could redirect verification messages to themselves rather than the victims.
In addition to accessing funds, attackers were able to access information, including home addresses, full names and transaction history.
Coinbase said it immediately fixed the bug, but did not disclose it when it discovered the vulnerability or the hacking campaign.
“Due to the scale, scope and sophistication of the campaign, we are working with a variety of partners, law enforcement agencies and other stakeholders to understand the attack and develop mitigation techniques,” the company said.
“We did not feel comfortable announcing the attack in public until the correct steps were taken to ensure that it could not be repeated successfully and would not jeopardize the integrity of law enforcement investigations.”
Coinbase did not disclose how much was stolen in the attack, but said customers would be compensated for all lost money.
A blogpos Uploaded Monday, said there was an increase in Coinbase-branded phishing messages between April and May, which showed a greater degree of success in bypassing spam filters on some older email services. It is recommended to use two-factor authentication methods other than SMS texts.
The exchange, which was listed in New York in April, was forced to get its Lend product an embarrassment, which would initially provide an annual return of 4 percent for the holders of its stablecoin, USD Coin.
Sign up for our weekly newsletter for the latest news and views on fintech from the network of correspondents from the FT #fintechFT
The Securities and Exchange Commission warned that it would sue if the product was launched, and issued subpoenas asking for more information. Coinbase CEO Brian Armstrong accuses the regulator of ‘sketchy behavior’ before putting the product on the shelf.
The company has also been scrutinized over the past few months over its allegations that USD Coin is fully backed by US dollar reserves, despite evidence that the holding also includes ‘approved investments’ from March last year.
Coinbase and the payment group Circle, which jointly operate USD Coin, are committed to switching to a reserve policy of cash and treasury by the end of September.