6000 coinbase clients hacked - page 5.

Silberman

legendary

Activity: 2534

Merit: 1338

Quote from: BTCtester.com on October 02, 2021, 01:20:17 PM

Another example why using central exchanges is risky. The hackers knew private data of the users. One corrupt employee or one successful hack and bad guys capture your email, home address, phone number and sell it to local criminals who might knock on your door then best encrypted wallets are useless. Cryptocurrencies are designed for peer to peer usage. If you change it into peer to bank to peer then this adds some risks.

https://www.reuters.com/business/finance/coinbase-says-hackers-stole-cryptocurrency-least-6000-customers-2021-10-01/

Did news of the hack appeared just now or is it Reuters recycling old news to try to create FUD or something? If it is the former then it is interesting that we are only finding about the hack right now, while if it is the latter then I wonder if they want to create FUD and slow down the market that way, anyway we all know what it must be done to avoid something like this, if you have to use exchanges then do so but never leave your coins there as they are too big of a target and hackers are always trying to find a way to get to your coins, so by leaving your coins there you are running the risk of being robbed by the hackers or the exchange itself.

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

Quote from: DaveF on October 02, 2021, 04:18:32 PM

This is why what @o_e_l_e_o pointed out here is 1000% correct for so many reasons. https://bitcointalksearch.org/topic/m.58083653

SMS is not AND NEVER WILL BE SECURE.
And adding
Using a SMS to email or other gateway is even less secure then totally not secure. Is there such a thing as anti-secure?

I agree 100% on this. But where would the hacker get from 6k email addresses and their passwords too?
Imho they've got them from Coinbase DB.

If they would have tons of hacked accounts, they would have stolen money from many more people (just because many still don't use 2FA).
Of course, Coinbase using SMS for 2FA was a setup asking for a disaster. And I come back to what I wrote: a proper security audit should have revealed that.

24Kt

member

Activity: 1092

Merit: 67

Quote from: passwordnow on October 02, 2021, 03:45:47 PM

Quote from: verita1 on October 02, 2021, 03:38:32 PM

It is strange that this news has spread so far.

Not that strange, these media are showing past incidents for a sure agenda and that's to give fear to the people that are new to this.

Quote from: verita1 on October 02, 2021, 03:38:32 PM

We still need to improve security on these exchange sites that are necessary for users.

They are the ones that have to improve security and I think that they're doing that but it's just that they have to continually do that. Because these hackers are also improving and finding every possible loophole from their systems.

Well, the good thing here is Coinbase refunded the lost amounts to its affected customers. Now, those customers who knew that their respective credentials are compromised should change their passwords or secure those info related to this hack. This also proves once again, that storing funds in exchange is not a very smart idea to do. Even top exchanges with high security as they say, can be penetrated by these hackers. Hacking softwares are getting sophisticated and so they need to upgrade their security level also.

DaveF

legendary

Activity: 3500

Merit: 6320

Crypto Swap Exchange

Quote from: NeuroticFish on October 02, 2021, 03:56:56 PM

Quote from: DaveF on October 02, 2021, 03:49:13 PM

So, if I got access to your gmail account

I think that this is the most important point. And my logic was that "only" some 6k had the same password at Coinbase as for their email.

The rest... yes, you're right. Coinbase simply didn't care to make it better/proper... or pay for auditing what "Bob in security" did there.

No, what I was saying was that if Bob screwed up, and you had google voice (once again picking on them could be many other providers) I did not even NEED your Coinbase password.
1) I get access to your email
2) I see you have a coinbase account
3) I see that text messages are coming into your email.
4) I send a password reset request, it sends a text to your email, which I am reading. I then can reset your password and go on my way with your money.

This is why what @o_e_l_e_o pointed out here is 1000% correct for so many reasons. https://bitcointalksearch.org/topic/m.58083653

SMS is not AND NEVER WILL BE SECURE.
And adding
Using a SMS to email or other gateway is even less secure then totally not secure. Is there such a thing as anti-secure?

-Dave

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

Quote from: DaveF on October 02, 2021, 03:49:13 PM

So, if I got access to your gmail account

I think that this is the most important point. And my logic was that "only" some 6k had the same password at Coinbase as for their email.

The rest... yes, you're right. Coinbase simply didn't care to make it better/proper... or pay for auditing what "Bob in security" did there.

DaveF

legendary

Activity: 3500

Merit: 6320

Crypto Swap Exchange

Quote from: NeuroticFish on October 02, 2021, 02:27:34 PM

Some points before people starts panicking:

Quote from: https://www.reuters.com/business/finance/coinbase-says-hackers-stole-cryptocurrency-least-6000-customers-2021-10-01/

The hack took place between March and May 20 of this year

Quote from: https://www.reuters.com/business/finance/coinbase-says-hackers-stole-cryptocurrency-least-6000-customers-2021-10-01/

The hackers needed to know the email addresses, passwords and phone numbers linked to the affected Coinbase accounts, and have access to personal emails

Although obviously Coinbase said that there's no evidence that the users' data comes from them, it looks too much like it. Either somebody from inside has sold users' data to a malicious 3rd party, either Coinbase user database was hacked and they didn't notice. Of course, from there to actually accessing users' e-mails there's still some work to do.

The warning, however, is the same as always: don't keep at centralized exchanges too much money and for too long. Not your keys, not your coins.

I would think that if the leak was coinbase the numbers would be much higher.

Thinking about it more, and the fact that they are mentioning a SMS gateway issue I am drifting towards the opinion that the issue was with a bad SMS implementation that allowed messages to be sent to non phone devices (google voice and the like)

Bit of background, SMS providers can tell MOST of the time if your phone is a real cell or something like google voice and for security reasons not allow you to get SMS messages to those numbers. Even Microsoft does this, I can get recovery texts to my cell, but not my Google Voice or our office VOIP line. I can get normal texts to them all day every day. I have 2 banks 1 will send the SMS to my GV number, the other tells me it's not secure.

So, if I got access to your gmail account (picking on them I am sure there are others that have linked email and phone numbers) and you had your SMS access /recovery phone number set to the google voice number that was linked to that account. Well, it's all over for you. I can reset your Coinbase password, get the SMS, take your money any leave. All with just getting the password for someones [email protected] account.

All because Bob in security forgot to click the checkbox that said, disallow VOIP numbers.

-Dave

passwordnow

hero member

Activity: 3136

Merit: 591

Leading Crypto Sports Betting & Casino Platform

Quote from: verita1 on October 02, 2021, 03:38:32 PM

It is strange that this news has spread so far.

Not that strange, these media are showing past incidents for a sure agenda and that's to give fear to the people that are new to this.

Quote from: verita1 on October 02, 2021, 03:38:32 PM

We still need to improve security on these exchange sites that are necessary for users.

They are the ones that have to improve security and I think that they're doing that but it's just that they have to continually do that. Because these hackers are also improving and finding every possible loophole from their systems.

verita1

member

Activity: 1358

Merit: 81

I am not a Coinbase user but I have seen some people in the United States on social media wondering where to invest safely.
According to the article that OP shared:

Quote

The hack took place between March and May 20 of this year, according to a copy of the letter posted on the website of California's Attorney General.

It is strange that this news has spread so far. We still need to improve security on these exchange sites that are necessary for users.

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

Some points before people starts panicking:

Quote from: https://www.reuters.com/business/finance/coinbase-says-hackers-stole-cryptocurrency-least-6000-customers-2021-10-01/

The hack took place between March and May 20 of this year

Quote from: https://www.reuters.com/business/finance/coinbase-says-hackers-stole-cryptocurrency-least-6000-customers-2021-10-01/

The hackers needed to know the email addresses, passwords and phone numbers linked to the affected Coinbase accounts, and have access to personal emails

Although obviously Coinbase said that there's no evidence that the users' data comes from them, it looks too much like it. Either somebody from inside has sold users' data to a malicious 3rd party, either Coinbase user database was hacked and they didn't notice. Of course, from there to actually accessing users' e-mails there's still some work to do.

The warning, however, is the same as always: don't keep at centralized exchanges too much money and for too long. Not your keys, not your coins.

Baskeyairdrop

jr. member

Activity: 700

Merit: 3

We become more vulnerable to hackers knowingly or unknowingly because they learn from constant experiences and regular practice. To not fall prey of vipers like this extra caution should always be taken. Imagine one using same password for all the email accounts he has, and all the accounts he has online. When one account is attacked, the rest gets vulnerable.

BTCtester.com

newbie

Activity: 26

Merit: 4

Another example why using central exchanges is risky. The hackers knew private data of the users. One corrupt employee or one successful hack and bad guys capture your email, home address, phone number and sell it to local criminals who might knock on your door then best encrypted wallets are useless. Cryptocurrencies are designed for peer to peer usage. If you change it into peer to bank to peer then this adds some risks.

https://www.reuters.com/business/finance/coinbase-says-hackers-stole-cryptocurrency-least-6000-customers-2021-10-01/

Topic: 6000 coinbase clients hacked - page 5. (Read 789 times)