Hacker stole Cryptocurrency At least 6,000 customers on the Nasdaq-listed digital asset exchange Coinbase have exploited a flaw in their two-factor authentication system.
The news, first reported by Bleeping Computer, was published by the company. Legal action From US securities regulators.
Victims were targeted between March and May of this year, according to a letter sent to affected customers, uploaded to the California Attorney General’s website and dated Friday. rice field.
The attacker needed to know in advance the user’s email address, password, phone number, and access to the email inbox.
Coinbase said it couldn’t “conclusively” determine how this happened, but was probably the result of a phishing attack or “social engineering” technology that tricked users into revealing their credentials. ..
No evidence was found that this information was obtained from the exchange itself, and the attacker did not compromise the security infrastructure.
A flaw in Coinbase’s SMS text account recovery process means that the account using the service is vulnerable to an attacker, who could forward the authentication message to himself rather than the victim. I did.
In addition to accessing funds, an attacker could gain access to information such as your home address, name, and transaction history.
Coinbase said it fixed the flaw “immediately” but did not reveal when it discovered the vulnerability or hacking campaign.
“We have worked with a variety of partners, law enforcement agencies and other stakeholders to understand attacks and develop mitigation methods for the size, scope and sophistication of our campaigns,” the company said. ..
“We were reluctant to expose the attack until the correct steps were taken to ensure that the attack could not be repeated successfully and the law enforcement investigations were not compromised.”
Coinbase did not reveal the amount stolen in the attack, but said all lost money would be refunded to the customer.
NS Blog post According to what was uploaded on Monday, Coinbase brand phishing messages increased between April and May, indicating that some older email services were successful in bypassing spam filters. We recommend using a two-factor authentication method other than SMS text.
The exchange, which went public in New York in April, was forced to embarrass its lending, which would have initially offered 4% annual interest to holders of stablecoin US dollar coins.
Sign up for our weekly newsletter for the latest news and insights on FinTech from FT’s correspondent network around the world. #fintechFT
Sign up here with just one click
The Securities and Exchange Commission has issued a subpoena for details, warning that it will file a proceeding when the product is launched. Brian Armstrong, CEO of Coinbase, accused regulators of “rough action” before the product was shelved.
Here’s the claim that the USD coin is fully backed by a US dollar reserve, even though there is evidence that the company also holds “approved investments” since March last year. Faced with months of surveillance.
Circle, a payments group that co-operates Coinbase and USD Coin, has promised to move to the Cash and Treasury reserve policy by the end of September.
Hackers stole cryptocurrencies from at least 6,000 Coinbase customers Source link Hackers stole cryptocurrencies from at least 6,000 Coinbase customers