- Coinbase said funds were stolen from atleast 6,000 customers due to a phishing attack that took place between March and May.
- Some customers may have fallen victim to a phishing campaign and turned over their credentials to attackers, a spokesperson told Insider.
- The crypto exchange said it is reimbursing customers for any lost value.
- Sign up here for our daily newsletter, 10 Things Before the Opening Bell.
Coinbase has informed customers about a wave of phishing attacks in which a third-party gained access to accounts on the crypto exchange, leading to funds being stolen from about 6,000 customers.
“Unfortunately, between March and May 20, 2021, you were a victim of a third-party campaign to gain unauthorized access to the accounts of Coinbase customers and move customer funds off the Coinbase platform,” the company wrote, according to a customer notification seen by Insider on Friday. “At least 6,000 Coinbase customers had funds removed from their accounts, including you.”
A Coinbase spokesperson told Insider the company’s security team found a large-scale phishing campaign that showed “particular success in bypassing the spam filters of certain, older email services.”
Coinbase said it took immediate action to mitigate the impact of the fraud by working with external partners to remove the sites when identified, and notifying email providers that were impacted.
“Unfortunately we believe, although cannot conclusively determine, that some Coinbase customers may have fallen victim to the phishing campaign and turned over their Coinbase credentials and the phone numbers verified in their accounts to attackers,” the spokesperson added.
Third parties first gained access to the email address, password, and phone number of the affected Coinbase customer in order to access to enter their accounts. The company said it wasn’t sure how third parties got this access, and that it could have happened either through a phishing attack or another social-engineering technique.
“We have not found any evidence that these third parties obtained this information from Coinbase itself,” the notice said.
In order to access a Coinbase account, two-factor authentication is also required. But in this incident, for customers that use SMS texts for authentication, the third party was successful by taking advantage of a flaw in the company’s SMS Account Recovery process.
“Once in your account, the third party was able to transfer your funds to crypto wallets unassociated with Coinbase,” the notice said.
Coinbase updated its SMS Account Recovery protocol on learning about the attacks, and said it would deposit funds of the same value lost back into customer accounts.
“We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed — we will ensure all customers affected receive the full value of what you lost.”