The hack took place between March and May 20, according to a notification letter posted by the company, available on the website of California’s Attorney General.
“We immediately fixed the flaw and have worked with these customers to regain control of their accounts and reimburse them for the funds they lost,” a Coinbase spokesperson said on Friday.
The company said that the hackers managed to get access to the email addresses, passwords, and phone numbers linked to the affected Coinbase accounts. It also reiterated that there was no evidence to suggest the information was obtained from the company.
Coinbase said it was not sure how the hackers managed to breach their authentication systems, but that it was probably the result of phishing attacks or “social engineering” techniques to trick users into revealing their credentials.
The breach happened when the hackers managed to exploit a flaw in Coinbase’s SMS text account recovery process and were able to divert authentication messages to themselves rather than the victims. In addition to access to funds, attackers could access information including home addresses, full names and transaction histories.
Coinbase said, “Because of the size, scope and sophistication of the campaign we have been working with a range of partners, law enforcement agencies and other stakeholders to understand the attack and develop mitigation techniques.” It added, “We didn’t feel comfortable disclosing the attack publicly until the correct steps were taken to ensure that it couldn’t be repeated successfully, and would not compromise the integrity of law enforcement investigations.”
There is no clarity about the actual money stolen in the attack but the company said the customers would be reimbursed for all funds lost.
The company said in a blog post that increased activity had been noticed between April and May of this year of Coinbase-branded phishing messages, which were able to bypass spam filters on some older email services. It advised using two-factor authentication methods other than SMS texts.
Coinbase recently dropped plans to launch a new lending product following the US securities regulators’ threat of legal action. The exchange got listed in New York in April.
It was forced to abandon plans to introduce its Lend product, which would have initially offered a 4 per cent annual yield for holders of its stablecoin, USD Coin.
The Securities and Exchange Commission was not happy with its plans and compliances and needed more information before giving and permission. It threatened to sue the company, and issued subpoenas asking for more information. The regulatory body argued that Lend would deal with securities and should therefore be regulated as an investment product.
Brain Armstrong, Coinbase’s chief executive, accused the regulator of “sketchy behaviour” and made the issue public. Coinbase Lend would have given users the ability to loan their USDC holdings.
The chief legal officer of Coinbase wrote a lengthy blogpost saying we do not know why the SEC is suing us.
Though the company complied and shelved its launch plans. The company was under scrutiny for having claimed that its USD Coin was fully backed by the US dollar, despite evidence to the contrary.
The company’s assets include “approved investments” from March 2020 onwards. Coinbase and the payments group Circle, which jointly operate USD Coin, committed to moving to a reserve policy of cash and Treasuries by the end of September. Coinbase said it’s still looking for “regulatory clarity for the crypto industry.”