Crypto exchange Coinbase confirmed that funds were stolen from at least 6,000 accounts in a vast phishing attack this spring and that the affected customers would be reimbursed any lost value.
Coinbase Confirmed The Phishing Attack
Coinbase informed its customers about a phishing campaign in which threat actors gained unauthorized access to accounts on the platform and stole funds from approximately 6,000 users.
“Unfortunately, between March and May 20, 2021, you were a victim of a third-party campaign to gain unauthorized access to the accounts of Coinbase customers and move customer funds off the Coinbase platform,” the company acknowledged in a customer notification. “At least 6,000 Coinbase customers had funds removed from their accounts, including you.”
Coinbase representative stated that the company’s security department discovered a massive phishing campaign that achieved “particular success in bypassing the spam filters of certain, older email services.”
The crypto exchange platform assured its customers that it was working with external partners to remove the phishing sites when identified and that it was taking immediate action to mitigate the impact of the phishing attack.
Coinbase Users May Have Been tricked Into Handing Over Their Credentials
“Unfortunately we believe, although cannot conclusively determine, that some Coinbase customers may have fallen victim to the phishing campaign and turned over their Coinbase credentials and the phone numbers verified in their accounts to attackers,” the spokesperson explained.
The scammers first obtained the email address, password, and phone number of the victims in order to gain access to their Coinbase accounts. While the company said it wasn’t certain of how third parties got this access, it could have happened either via a phishing campaign or another form of social engineering attack.
“We have not found any evidence that these third parties obtained this information from Coinbase itself,” the notice said.
Accessing a Coinbase account requires two-factor authentication. However, in this particular incident, for customers who use SMS texts messages for authentication, the hackers took advantage of a flaw in the organization’s SMS Account Recovery process.
“Once in your account, the third party was able to transfer your funds to crypto wallets unassociated with Coinbase,” the notice said.
After discovering the phishing attack, Coinbase updated its SMS Account Recovery protocol and assured its customers it would reimburse them the value lost.
“We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed — we will ensure all customers affected receive the full value of what you lost.”
Prevent Phishing With ATTACK Simulator’s Security Awareness Training
Thinking you’ll dodge the bullet (or hook)? Think again. Figures paint a rather grim cybercrime landscape.
Phishing attacks can be catastrophic, resulting in immense financial damage or even the end of your business.
- To prevent cyberattacks and breaches
- To strenghten your technological defenses
- To attract more customers
- To make you more socially responsible
- To empower your employees
- To meet compliance standards
- To prevent downtimes and maintain a good reputation
Our realistic phishing simulations will expose your employees to life-like hands-on fake phishing attacks.
Here are some awesome perks of choosing us:
- Automated attack simulation – we simulate all kinds of cyberattacks: phishing, malware, ransomware, spear-phishing, identity theft, online privacy attacks, online scams etc.
- Real-life scenarios – we evaluate users’ vulnerability to give company-related or pesonal data away using realistic web-pages.
- User behavior analysis – we gather user data and compile it in extensive reports to give you a detailed picture of your employees’ security awareness level.
- Malicious file replicas – our emails contain malware file replicas, to make the simulation as realistic as it can be.
- Interactive lessons – if employees fail to recognize our traps and fall into one, they will be redirected to landing pages with quick reads on the best security practices.
- We impersonate popular brands on our simulated phishing pages – the user will be more tempted to click on the URL or open the attachment in the email.
ATTACK Simulator’s Security Awareness Training program will help you equip your employees with the necessary security knowledge and up-to-date security practices to keep your company safe from scammers and avoid potentially irreparable damage.