Arguably the most mainstream of all US Crypto-exchanges; Coinbase, had a hacker bypass the SMS multi-factor authentication mechanism set in place for security. The hacker stole funds from 6,000 users as Bleeping Computer reported.
Between March and May is when the breach happened. It was a sophisticated attack, but used some tactics that are easily avoidable. It was a combination of phishing scams and taking advantage of a vulnerability exploit within security measures of the Coinbase platform. In order to pull off the hack the perpetrator(s) needed an account holder’s email address, password, and phone number, and be able to access and control the email accounts for those customers. Details on how the hacker was able to execute all of that is still unknown.
“In this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account,” customers of Coinbase were told in electronic notifications. Customers’ personal information, “full name, email address, home address, date of birth, IP addresses for account activity, transaction history, account holdings, and balances,” were also compromised.
…. If you haven’t learned this lesson …. Learn it now. Not your keys, not your Coins.