Coinbase made everyone whole, and the attackers stole the credentials (not because of Coinbase's fault) ahead of time, and the attackers had to perform a "SIM swap" type attack on the users. "Breach" may be the required term for the Californian government, but this wouldn't qualify to most people as a traditional breach (i.e., compromise of Coinbase's infrastructure).<p>Edit: California, not Canada. My bad.
><i>"We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed -- we will ensure all customers affected receive the full value of what you lost. You should see this reflected in your account no later than today."</i><p>I sympathize with the "Not your keys, not your coins" crowd, but you have to admit that you are far more likely to be compensated in the event of an attack if you are using a large exchange. Not guaranteed, of course, but Coinbase has an image to maintain.<p>I also believe, personally, that a large exchange has much better security than anything I could muster with a hot wallet. Yes, I know I can airgap a cold wallet but I like the ability to quickly sell some amount of crypto at market rates without having to transfer from a paper wallet. I also worry about physical security since my home has been burglarized before. Therefore, I keep my coins on exchanges and follow good practices with 2FA across my accounts (no SMS for any) and have withdrawal delays / whitelisting active.
I think this reflects very favorably on Coinbase. They're making everyone whole, and gosh - the attackers had the user's usernames, passwords and phone numbers. Hard not to be sympathetic to Coinbase in that scenario. How are they supposed to know those aren't the real users? Consider that if they are going to identify those cases as fraudulent actors, then they could easily lock-out legitimate users as well.<p>I'll guess the users had the same usernames and passwords that they've used for a hundred other sites, and one of those got breached at some point. Don't do that!
The attack still goes on. Email today:<p><pre><code> Coinbase
Coinbase <https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
Verify your email address
In order to continue using your Coinbase account, you need to reconfirm
your email address. To avoid service interruptions verify your email.
Verify Email Address
<https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
If you did not sign up for this account you can ignore this email and the
account will be deleted.
Get the latest Coinbase App for your phone
Coinbase iOS mobile bitcoin wallet
<https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
Coinbase Android mobile bitcoin wallet
<https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
</code></pre>
Whois info:<p>> whois plesk.page<p><pre><code> Domain Name: plesk.page
Registry Domain ID: 41B85291E-PAGE
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: https://www.namecheap.com/
Updated Date: 2021-07-10T14:00:29Z
Creation Date: 2020-03-18T03:06:27Z
Registry Expiry Date: 2022-03-18T03:06:27Z
Registrar: Namecheap Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Privacy service provided by Withheld for Privacy ehf
Registrant Street: REDACTED FOR PRIVACY
...
</code></pre>
Traceroute shows that site hosted by Hurricane Electric.<p>Anyone who lost money in this should sue Namecheap and Hurricane Electric. They will be stumbling all over themselves to tell your lawyers who their customer was, to avoid liability.<p>I don't even have a Coinbase account.
Reminder: if you don't own your keys, you don't own your cheese.<p>Hardware:<p><a href="https://trezor.io/" rel="nofollow">https://trezor.io/</a>
<a href="https://www.ledger.com/" rel="nofollow">https://www.ledger.com/</a>
One thing that cryptocurrencies achieved is they introduced a private key authentication at scale. For a moment, there was a hope that we can move to private key authentication mechanism. But, unfortunately, it was quickly rolled back by introduction of custodial wallets and we got pulled back into world of passwords.
I wonder how "We will be depositing funds into your account equal to the value of the currency improperly removed
from your account at the time of the incident" is to be read.<p>To me, that reads as "if you had 1 BTC stolen on May 20, we will deposit 40k USD into your account, because that was the value of 1 BTC as of May 20", not "if you had 1 BTC stolen, there is now 1 BTC back in your account".<p>The timeframe listed in the letter covers exactly the time of a massive price spike, so a USD payout would put most people in a better situation than a BTC payout in this specific case, but I'm still curious how this is handled, and whether there is a universally agreed standard for it.<p>Because next time "we'll reimburse you the USD value of your crypto as of the date of the attack 6 months ago" could mean that someone "made whole" like this has only 10% of what they would have if the attack didn't happen.
Almost every exchange supports TOTP, as well as Coinbase, shouldn't they just disable SMS?<p>Although it sounds like these are email accounts that have been hacked in other ways too.
High security services should send a pair of U2F keys to each and every customer when they sign up (or hit a retention/value threshold), with instructions on how to store them (that is, different buildings). Then they can use normal app-based 2FA day to day (NOT TOTP as that is phishable), and use the preenrolled U2F hardware tokens as recovery methods when the user inevitably loses their phone and needs to re-enroll their primary 2FA device (the service app on their new phone).<p>Falling back to SMS to reset 2FA, or Skype calls where you hold up your ID with a CSR or whatever is just asking for shit like this. In bulk the hardware is probably <$5/token, so well under $10/user (probably closer to $5/user even for a pair of tokens). If your CLTV for your high security financial service can’t afford that, go do something else.<p>This is a solved problem; the fact that financial institutions have not got on board with 10+ year old stable, cheap, widely available technology is a market failure caused by massive overregulation.<p>Nothing about this is hard, nothing about this is expensive, there’s just a pervasive attitude in financial technology circles of “this is the way we’ve always done it” or “this is the way everyone else does it”, even if those ways encapsulate a ton of waste and risk.<p>Even without the whole “n+1 tokens, used only as primary 2fa recovery” scheme, I don’t think there’s a single US retail bank that supports U2F even for normal 2FA login. It’s shameful.<p>This industry is so ridiculously ripe for disruption but it’s so heavily overregulated that nobody that doesn’t suck is allowed to enter the market. Simple was the first to try (and even they had to use a partner bank) and they got erased via acquisition (and I think subsequently shut down).
From what I understand, the SMS verification was bypassed but not the password validation.<p>I am probably not understanding this correctly, but if the attacker had to have knowledge of your password then why did they reimburse affected users. They could've called it a day and claimed it was the user's fault.
The PDF link (<a href="https://oag.ca.gov/system/files/09-24-2021%20Customer%20Notification.pdf" rel="nofollow">https://oag.ca.gov/system/files/09-24-2021%20Customer%20Noti...</a>) was sometimes throwing a "file not found" error.<p>Archived version: <a href="http://web.archive.org/web/20211001155216/https://oag.ca.gov/system/files/09-24-2021%20Customer%20Notification.pdf" rel="nofollow">http://web.archive.org/web/20211001155216/https://oag.ca.gov...</a> (consider <a href="https://archive.org/donate" rel="nofollow">https://archive.org/donate</a> to support the cost of operating the archive).
The irony in that breach document that the first credit monitoring agency mentioned at the bottom is Equifax, having the reputation for one of the worst data breaches in 2017 spanning nearly 150mil American citizens.
If you got hacked and don't get your funds deposited. Good luck getting in touch with anyone. I have sent multiple requests to another issue, was told I should expect a response shortly and that was months ago.
<i>"Between March and May 20, 2021, you were a victim of a third-party campaign..."</i><p>There were a spat of Coinbase SMS phishing texts in July 2021. So the window could be much longer, and the campaign ongoing.
I'm done with anything crypto. Daily. Bug after bug, breach after breach. I just don't see how, at any point in the future, crypto gets any more secure than, say, Microsoft Windows. There'll always be a bug, there'll always be a fix needed. And this isn't, "oh, my software crashed for an afternoon", it's potentially a good chunk of your life savings.<p>I'll take my chances with the banks and Nigerian Princes.
What I'm getting from this is that Coinbase was/is using SMS-based 2FA? Using anything short of mandatory U2F means the responsibility of this breach firmly falls on Coinbase's shoulders. It's like if you found out your bank uses single-bolt doors for its vault.
> Unfortunately, between March and May 20, 2021, you were a victim of a third-party campaign to gain
> unauthorized access to the accounts of Coinbase customers and move customer funds off the Coinbase
> platform. At least 6,000 Coinbase customers had funds removed from their accounts, including you.<p>I see 2 conflicting claims here:<p>> While we are not able to determine conclusively how these third parties gained
> access to this information<p>"these" being username, pw, phone number etc. And then:<p>> We have not found any evidence that these third parties obtained this information from Coinbase itself.<p>You're technically correct but the first claim undermines the second one to me.
Could be SIM swapping?<p><a href="https://therecord.media/hackers-bypass-coinbase-2fa-to-steal-customer-funds/" rel="nofollow">https://therecord.media/hackers-bypass-coinbase-2fa-to-steal...</a>
<i>In order to access your Coinbase account, these third parties first needed prior knowledge of the email
address, password, and phone number associated with your Coinbase account, as well as access to your
personal email inbox. While we are not able to determine conclusively how these third parties gained
access to this information, this type of campaign typically involves phishing attacks ...
Even with the information described above, additional authentication is required in order to access your
Coinbase account. However, in this incident, for customers who use SMS texts for two-factor
authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in
order to receive an SMS two-factor authentication token and gain access to your account.</i><p><i>We will be depositing funds into your account equal to the value of the currency improperly removed
from your account at the time of the incident. Some customers have already been reimbursed -- we will
ensure all customers affected receive the full value of what you lost</i>
I like this. They are basically making a call to self insure against these types of incidents and paying out of their own coffers. It makes sense since recovering the stolen crypto is near impossible (as designed).<p>It's funny how everything old is new again. We are just reinventing FDIC insurance for crypto.
What can be said that has not already?<p>It's like people saying, "I don't like the bank with their ridiculous paperwork so I will use a loan shark instead, he doesn't need paperwork"<p>Then the loan shark disappears/beats you up/asks for loads of interest etc. and you still want to complain to the police.<p>Most people hate regulators but they are there for a reason. What certifications does coinbase have to hold your millions of dollars of virtual currency?