from Hacker News

Coinbase Breach Notification

by sunils34 on 10/1/21, 3:34 PM with 271 comments

  • by vngzs on 10/1/21, 3:49 PM

    Coinbase made everyone whole, and the attackers stole the credentials (not because of Coinbase's fault) ahead of time, and the attackers had to perform a "SIM swap" type attack on the users. "Breach" may be the required term for the Californian government, but this wouldn't qualify to most people as a traditional breach (i.e., compromise of Coinbase's infrastructure).

    Edit: California, not Canada. My bad.

  • by BitwiseFool on 10/1/21, 4:02 PM

    >"We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed -- we will ensure all customers affected receive the full value of what you lost. You should see this reflected in your account no later than today."

    I sympathize with the "Not your keys, not your coins" crowd, but you have to admit that you are far more likely to be compensated in the event of an attack if you are using a large exchange. Not guaranteed, of course, but Coinbase has an image to maintain.

    I also believe, personally, that a large exchange has much better security than anything I could muster with a hot wallet. Yes, I know I can airgap a cold wallet but I like the ability to quickly sell some amount of crypto at market rates without having to transfer from a paper wallet. I also worry about physical security since my home has been burglarized before. Therefore, I keep my coins on exchanges and follow good practices with 2FA across my accounts (no SMS for any) and have withdrawal delays / whitelisting active.

  • by mdavis6890 on 10/1/21, 4:05 PM

    I think this reflects very favorably on Coinbase. They're making everyone whole, and gosh - the attackers had the user's usernames, passwords and phone numbers. Hard not to be sympathetic to Coinbase in that scenario. How are they supposed to know those aren't the real users? Consider that if they are going to identify those cases as fraudulent actors, then they could easily lock-out legitimate users as well.

    I'll guess the users had the same usernames and passwords that they've used for a hundred other sites, and one of those got breached at some point. Don't do that!

  • by Animats on 10/1/21, 8:08 PM

    The attack still goes on. Email today:

        Coinbase

    Coinbase <https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
    Verify your email address
    In order to continue  using your Coinbase account, you need to reconfirm 
    your email address. To avoid service interruptions verify your email.
    Verify Email Address 
    <https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>

    If you did not sign up for this account you can ignore this email and the
    account will be deleted.

    Get the latest Coinbase App for your phone
    Coinbase iOS mobile bitcoin wallet
    <https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
    Coinbase Android mobile bitcoin wallet
    <https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
    Whois info:

    > whois plesk.page

        Domain Name: plesk.page
    Registry Domain ID: 41B85291E-PAGE
    Registrar WHOIS Server: whois.namecheap.com
    Registrar URL: https://www.namecheap.com/
    Updated Date: 2021-07-10T14:00:29Z
    Creation Date: 2020-03-18T03:06:27Z
    Registry Expiry Date: 2022-03-18T03:06:27Z
    Registrar: Namecheap Inc.
    Registrar IANA ID: 1068
    Registrar Abuse Contact Email: abuse@namecheap.com
    Registrar Abuse Contact Phone: +1.6613102107
    Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
    Registry Registrant ID: REDACTED FOR PRIVACY
    Registrant Name: REDACTED FOR PRIVACY
    Registrant Organization: Privacy service provided by Withheld for Privacy ehf
    Registrant Street: REDACTED FOR PRIVACY
    ...
    Traceroute shows that site hosted by Hurricane Electric.

    Anyone who lost money in this should sue Namecheap and Hurricane Electric. They will be stumbling all over themselves to tell your lawyers who their customer was, to avoid liability.

    I don't even have a Coinbase account.

  • by rglover on 10/1/21, 4:48 PM

    Reminder: if you don't own your keys, you don't own your cheese.

    Hardware:

    https://trezor.io/ https://www.ledger.com/

  • by YeBanKo on 10/1/21, 6:06 PM

    One thing that cryptocurrencies achieved is they introduced a private key authentication at scale. For a moment, there was a hope that we can move to private key authentication mechanism. But, unfortunately, it was quickly rolled back by introduction of custodial wallets and we got pulled back into world of passwords.

  • by tgsovlerkhgsel on 10/1/21, 10:43 PM

    I wonder how "We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident" is to be read.

    To me, that reads as "if you had 1 BTC stolen on May 20, we will deposit 40k USD into your account, because that was the value of 1 BTC as of May 20", not "if you had 1 BTC stolen, there is now 1 BTC back in your account".

    The timeframe listed in the letter covers exactly the time of a massive price spike, so a USD payout would put most people in a better situation than a BTC payout in this specific case, but I'm still curious how this is handled, and whether there is a universally agreed standard for it.

    Because next time "we'll reimburse you the USD value of your crypto as of the date of the attack 6 months ago" could mean that someone "made whole" like this has only 10% of what they would have if the attack didn't happen.

  • by danuker on 10/1/21, 3:50 PM

  • by rhacker on 10/1/21, 4:59 PM

    Almost every exchange supports TOTP, as well as Coinbase, shouldn't they just disable SMS?

    Although it sounds like these are email accounts that have been hacked in other ways too.

  • by sneak on 10/1/21, 6:51 PM

    High security services should send a pair of U2F keys to each and every customer when they sign up (or hit a retention/value threshold), with instructions on how to store them (that is, different buildings). Then they can use normal app-based 2FA day to day (NOT TOTP as that is phishable), and use the preenrolled U2F hardware tokens as recovery methods when the user inevitably loses their phone and needs to re-enroll their primary 2FA device (the service app on their new phone).

    Falling back to SMS to reset 2FA, or Skype calls where you hold up your ID with a CSR or whatever is just asking for shit like this. In bulk the hardware is probably <$5/token, so well under $10/user (probably closer to $5/user even for a pair of tokens). If your CLTV for your high security financial service can’t afford that, go do something else.

    This is a solved problem; the fact that financial institutions have not got on board with 10+ year old stable, cheap, widely available technology is a market failure caused by massive overregulation.

    Nothing about this is hard, nothing about this is expensive, there’s just a pervasive attitude in financial technology circles of “this is the way we’ve always done it” or “this is the way everyone else does it”, even if those ways encapsulate a ton of waste and risk.

    Even without the whole “n+1 tokens, used only as primary 2fa recovery” scheme, I don’t think there’s a single US retail bank that supports U2F even for normal 2FA login. It’s shameful.

    This industry is so ridiculously ripe for disruption but it’s so heavily overregulated that nobody that doesn’t suck is allowed to enter the market. Simple was the first to try (and even they had to use a partner bank) and they got erased via acquisition (and I think subsequently shut down).

  • by IceWreck on 10/1/21, 4:00 PM

    From what I understand, the SMS verification was bypassed but not the password validation.

    I am probably not understanding this correctly, but if the attacker had to have knowledge of your password then why did they reimburse affected users. They could've called it a day and claimed it was the user's fault.

  • by tgsovlerkhgsel on 10/1/21, 10:45 PM

    The PDF link (https://oag.ca.gov/system/files/09-24-2021%20Customer%20Noti...) was sometimes throwing a "file not found" error.

    Archived version: http://web.archive.org/web/20211001155216/https://oag.ca.gov... (consider https://archive.org/donate to support the cost of operating the archive).

  • by rsimmons on 10/1/21, 10:48 PM

    The irony in that breach document that the first credit monitoring agency mentioned at the bottom is Equifax, having the reputation for one of the worst data breaches in 2017 spanning nearly 150mil American citizens.

  • by encryptluks2 on 10/1/21, 6:11 PM

    If you got hacked and don't get your funds deposited. Good luck getting in touch with anyone. I have sent multiple requests to another issue, was told I should expect a response shortly and that was months ago.

  • by matchagaucho on 10/1/21, 4:58 PM

    "Between March and May 20, 2021, you were a victim of a third-party campaign..."

    There were a spat of Coinbase SMS phishing texts in July 2021. So the window could be much longer, and the campaign ongoing.

  • by paxys on 10/1/21, 4:19 PM

    SMS-based 2FA needs to die.

  • by LightG on 10/1/21, 4:34 PM

    I'm done with anything crypto. Daily. Bug after bug, breach after breach. I just don't see how, at any point in the future, crypto gets any more secure than, say, Microsoft Windows. There'll always be a bug, there'll always be a fix needed. And this isn't, "oh, my software crashed for an afternoon", it's potentially a good chunk of your life savings.

    I'll take my chances with the banks and Nigerian Princes.

  • by tfang17 on 10/1/21, 5:21 PM

    Another reminder that text-based 2FA is not secure.

  • by thepasswordis on 10/1/21, 8:49 PM

    Here's the lesson:

    Use yubikeys. Use coinbase vaults.

  • by Ansil849 on 10/1/21, 7:31 PM

    What I'm getting from this is that Coinbase was/is using SMS-based 2FA? Using anything short of mandatory U2F means the responsibility of this breach firmly falls on Coinbase's shoulders. It's like if you found out your bank uses single-bolt doors for its vault.

  • by tibiahurried on 10/1/21, 5:11 PM

    These platforms should not offer 2fa with SMS. And force their customers to use 2FA via MFA instead.

  • by newfonewhodis on 10/1/21, 3:51 PM

    > Unfortunately, between March and May 20, 2021, you were a victim of a third-party campaign to gain > unauthorized access to the accounts of Coinbase customers and move customer funds off the Coinbase > platform. At least 6,000 Coinbase customers had funds removed from their accounts, including you.

    I see 2 conflicting claims here:

    > While we are not able to determine conclusively how these third parties gained > access to this information

    "these" being username, pw, phone number etc. And then:

    > We have not found any evidence that these third parties obtained this information from Coinbase itself.

    You're technically correct but the first claim undermines the second one to me.

  • by babyshake on 10/1/21, 5:49 PM

    Coinbase has already contacted all affected users?

  • by rohitpaulk on 10/1/21, 4:36 PM

    Curious what the total dollar amount involved was.

  • by skybrian on 10/1/21, 4:13 PM

    Why does this say “Submitted Breach Notification Sample” and “Sample of Notice?” How do we know the sample is real?

  • by laulis on 10/1/21, 3:54 PM

  • by jefftk on 10/1/21, 3:53 PM

    In order to access your Coinbase account, these third parties first needed prior knowledge of the email address, password, and phone number associated with your Coinbase account, as well as access to your personal email inbox. While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks ... Even with the information described above, additional authentication is required in order to access your Coinbase account. However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account.

    We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed -- we will ensure all customers affected receive the full value of what you lost

  • by rStar on 10/1/21, 8:42 PM

    couldn’t happen to nicer people

  • by rednerrus on 10/1/21, 4:14 PM

    SMS 2FA is not a good idea.

  • by tolulade_ato on 10/1/21, 4:35 PM

    Data security is a serious matter, one of the reasons we are building a product for this for businesses.

  • by jtchang on 10/1/21, 4:11 PM

    I like this. They are basically making a call to self insure against these types of incidents and paying out of their own coffers. It makes sense since recovering the stolen crypto is near impossible (as designed).

    It's funny how everything old is new again. We are just reinventing FDIC insurance for crypto.

  • by lbriner on 10/1/21, 3:51 PM

    What can be said that has not already?

    It's like people saying, "I don't like the bank with their ridiculous paperwork so I will use a loan shark instead, he doesn't need paperwork"

    Then the loan shark disappears/beats you up/asks for loads of interest etc. and you still want to complain to the police.

    Most people hate regulators but they are there for a reason. What certifications does coinbase have to hold your millions of dollars of virtual currency?