Hackers have reportedly stolen cryptocurrency from at least 6,000 customers of the Nasdaq-listed digital asset exchange Coinbase by exploiting a vulnerability in its SMS account recovery process.
According to a letter sent by the cryptocurrency exchange to affected customers and a copy of the letter posted on the website of California’s Attorney General, the hack took place between March and May 20 of this year.
Unauthorized third parties took advantage of a flaw in Coinbase’s SMS account recovery process to gain access to accounts and transfer funds to unknown crypto addresses not associated with the company.
The hackers needed to know the email addresses, passwords and phone numbers linked to the affected Coinbase accounts, and have access to personal emails, the company said.
“We immediately fixed the flaw and have worked with these customers to regain control of their accounts,” a Coinbase official said.
Coinbase stated that it was unable to determine “conclusively” how the hack occurred, but that it was most likely the result of phishing or “social engineering” techniques used to deceive customers into disclosing their credentials. It said that it had not found any evidence that this information had been obtained from the exchange itself, and that attackers did not breach its security infrastructure.
Coinbase did not disclose how much had been stolen in the attack but said customers would be refunded for the amount lost.
According to reports, between April and May, there was an increase in Coinbase-branded phishing messages, which were successful in surpassing spam filters on some older email services. It recommended using two-factor authentication methods other than SMS texts.