Get free Coinbase updates
We will send you one myFT Daily Digest Email collects the latest Coinbase news every morning.
Hackers have stolen cryptocurrencies from at least 20,000,000 customers at Nasdaq-listed digital asset exchange Coinbase, exploiting flaws in its two-factor authentication system.
The news first comes just a week after the company canceled plans to launch a new nding product after threats of legal action from U.S. securities regulators, Blipping Computer.
According to a letter sent to the aggrieved client, which was uploaded to the California Attorney-General’s website and dated Friday, the victims were targeted between March and May this year.
Attackers must have prior knowledge of email addresses, passwords and phone numbers of users, as well as access to their email inbox.
Coinbase said it was unable to “ultimately” determine how it happened, but that it was probably the result of phishing attacks or “social engineering” tactics that deceived users into disclosing their credentials.
It said it had found no evidence that the information was obtained from the exchange and that the attackers had not violated its security infrastructure.
An error in Coinbase’s SMS text account recovery process implies that the accounts that used the service were at risk for attackers, who could divert authentication messages to themselves instead of victims.
In addition to accessing funds, attackers can access information including home address, full name and transaction history.
Coinbase said it fixed the error “immediately”, but did not disclose if it had ever discovered a vulnerability or hacking campaign.
“Because of the size, scope and sophistication of the campaign, we are working with a variety of partners, law enforcement agencies and other stakeholders to understand the attack and develop mitigation strategies.”
“It cannot be successfully replicated, and we have not felt comfortable disclosing this attack publicly until the right steps have been taken to ensure that law enforcement does not compromise the integrity of the investigation.”
Coinbase did not disclose how much was stolen in the attack, but said customers would be reimbursed for all funding.
A blog post uploaded on Monday states that there was an increase in Coinbase-branded phishing messages between April and May, with some older email services showing higher success bypassing spam filters. It recommends using two-factor authentication methods other than SMS text.
The exchange, listed in New York in April, was forced to make an embarrassing rise on its stock, which would initially provide a 4 percent annual yield for its stable, USD coin holders.
For the latest news and opinions about FinTech from FT’s global network of reporters, sign up for our weekly newsletter #fintechFT
Sign up here with one click
The Securities and Exchange Commission warned that they would sue if the product was launched and issue a statement requesting more information. Brian Armstrong, chief executive of Coinbase, accused the regulator of “sketch behavior” before closing the product.
The company has also faced investigations in recent months over its claim that the USD coin was fully backed by the US dollar reserve, although evidence shows that the holding has included “approved investments” since March last year.
Coinbase and Payment Group Circle, which jointly handles USD coins, are committed to a reserve policy of cash and treasury by the end of September.