Hackers stole cryptocurrencies from at least 6,000 customers of the Nasdaq-listed digital asset exchange Coinbase by exploiting a flaw in its two-factor authentication system.
The news, first reported by Bleeping Computer, comes just a week after the company had to drop its plans to launch a new lending product following the threat of legal action from US securities regulators.
According to a letter sent to affected customers, which was uploaded to the California attorney-general’s website and dated Friday, the victims were targeted between March and May this year.
The attackers had to have previous knowledge of the email addresses, passwords and phone numbers of the users, as well as access to their email inbox.
Coinbase said it was unable to determine “conclusively” how this had happened, but that it was probably the result of phishing attacks or “social engineering” techniques to trick users into revealing their credentials.
It said it had not found any evidence that this information had been obtained from the exchange itself, and that attackers did not breach its security infrastructure.
A flaw in Coinbase’s SMS text account recovery process meant those accounts that used the service were vulnerable to attackers, who could divert authentication messages to themselves rather than the victims.
In addition to access to funds, attackers could access information including home addresses, full names and transaction histories.
Coinbase said it had “immediately” fixed the flaw, but it did not reveal when it had discovered the vulnerability or the hacking campaign.
“Because of the size, scope and sophistication of the campaign we have been working with a range of partners, law enforcement agencies and other stakeholders to understand the attack and develop mitigation techniques,” the company said.
“We didn’t feel comfortable disclosing the attack publicly until the correct steps were taken to ensure that it couldn’t be repeated successfully, and would not compromise the integrity of law enforcement investigations.”
Coinbase did not disclose how much had been stolen in the attack, but said customers would be reimbursed for all funds lost.
A blog post uploaded on Monday said that there had been a rise in Coinbase-branded phishing messages between April and May, which had shown a higher degree of success bypassing spam filters on some older email services. It advised using two-factor authentication methods other than SMS texts.
The exchange, which listed in New York in April, was forced to make an embarrassing climbdown on its Lend product, which would have initially offered a 4 per cent annual yield for holders of its stablecoin, USD Coin.
For the latest news and views on fintech from the FT’s network of correspondents around the world, sign up to our weekly newsletter #fintechFT
Sign up here with one click
The Securities and Exchange Commission warned it would sue if the product was launched, and issued subpoenas asking for more information. Coinbase chief executive Brian Armstrong accused the regulator of “sketchy behaviour” before the product was shelved.
The company has also faced scrutiny in recent months over its claims that USD Coin was fully backed by US dollar reserves, despite evidence showing the holdings also include “approved investments” from March last year onwards.
Coinbase and the payments group Circle, which jointly operate USD Coin, committed to moving to a reserve policy of cash and Treasuries by the end of September.