Cryptocurrency exchange Coinbase reportedly received a new security breach after attackers managed to bypass the company’s multi-factor authentication, or MFA, in a coordinated campaign earlier this year.
According to a report by Bleeping Computer, the attackers stole cryptocurrency from 6000 accounts, but the monetary value of the theft was not disclosed. Earlier this week, Coinbase notified affected customers that the theft occurred between March and May.
To gain access to the accounts, the attackers must know the email address, password, and phone number of the affected users. It is unclear how the attackers obtained this information, although phishing attacks targeting exchange users are not uncommon. However, Coinbase has discovered a vulnerability in the account recovery process that attackers use to gain access to accounts:
“In this incident, for customers using SMS text messages for two-factor authentication, a third party took advantage of an error in the Coinbase SMS account recovery process to obtain the SMS two-factor authentication code and access your account.”
Coinbase, which operates one of the world’s largest cryptocurrency exchanges, has come under fire for poor customer service. According to Cointelegraph, customers whose accounts were hacked and used to raise funds were unable to reach support staff, which led to thousands of complaints against the company.
On the subject: The SEC was the only regulator unwilling to interview Coinbase: Brian Armstrong
Coinbase’s first public offering was in April at $86 billion, but the company failed to adequately expand its customer service division. In August, the company announced a new customer support team that believes their account has been hacked.