Yesterday, my coinbase account was hacked. someone got into my hotmail, then requested a password reset. I got the text for that with code, then someone called saying they were with coinbase security. I gave them nothing. then went to my account to change the password myself and called their support number to lock my account. Before I could do all of that, they got past the 2fa and drained my account. Then i got over 300 text message from 1410 numbers. Still getting them 24 hours later, just not as many as fast. WTF???

How did they get past 2FA? It was sms 2FA, but still, how? Coinbase sucks too, they just said security is my responsibility.

pretty sure it was the hackers. they were in NY/NJ. coinbase confirmed that area was teh last login

if I don't give them the 2fa code from the sms, how did they get in? I think that is the big question for me.

they did get into my email, i know that. they setup a rule to move all things coinbase to the archive so I wouldn't see them.

I would follow up with your phone company. It sounds like you might have gotten sim swapped.

agree likely sim swap. How much did you lose?

5K

i didn't think they could do that with the new eSim?

Was your cell phone carrier AT&T or Verizon, or was it one of the other groups?

It's harder to do on AT&T or Verizon, but there are groups that do orchestrated attacks on cell phone carriers and charge money per phone number so that they can take over sms to reset 2FA (which is why I hate the anyone doing anything with finances still uses SMS or email for 2FA). That's usually a very targeted attack and researched against people with some good money, so not sure if they got your credentials and targeted you specifically or if they bought a group of valid credentials for coinbase and attacked a block of users.

But moral of the story is, try to use at least OTP for 2FA, avoid SMS and email if it's at all possible (but if there are no other alternatives, then it's better than nothing, but definitely can be hit by motivated attackers)

AT&T

shalackin said:

---

AT&T

---

That's surprising, as it's a lot harder and costlier usually to hit them. But, not that it helps you at this point, I'll take a look around the infosec world to see if something is popping up because that is still surprising.

I just talkd with at&t and they said it was not a sim swap, that they would see it in the imei and sim#'s or something.

I did see that in 2021, coinbase security was so poor that tokens were hacked and accounts drained. They supposedly refunded those users. Wonder if that is happening again.

I filed a fraud ticket with FTC, but figure that is a waste of time. Coinbase told me to call my local PD. As if they have some genius cyber security division.

Firstly - that sucks OP and hope you get it reconciled. I've done a lot of reading as a result of this thread, so thanks for the awareness.

All that said - totally ironic situation considering that BTC and other blockchain technologies promise a lot of security benefits, but it is still totally circumvented by the technology all around it.

I'm wondering if this was a double session hijack? Where they took over you email by hijacking the session cookie and then used that to change information. Even send you to another site to take over your coinbase session if you log in via their website. If that was the case, then they would have access to both even if you changed your password until either the initial session died or you have a way to force every session to be logged out. But usually to get that initial session you would have had to execute something (like a phishing attack email) that got the session out of the browser, or they hit a 0day lottery that got for them on a service.

Not sure how feasible that is with either your email or coinbase, but I wouldn't be surprised if hotmail was vulnerable to a service vulnerability that exposed session information. And coinbase has been having a ton of issues lately

This is just me spitballing, after reading issues other people had.

when not on an exchange

I hope you get your money back. Now I see why text messaging isn't the best 2FA. It's so convenient with iOS with the autofill. Checked my account and am using an Authenticator. I've been switching over to the new Passkey thing on some accounts.

That's what I was getting at when talking about the technology around it?

Consider filing suit against coinbase in your local small claims court. You do not need a lawyer, for that, and Coinbase will likely settle with you, perhaps the night before your trial.

Also, consider filing a claim under the Texas deceptive trade practices act, assuming you live in Texas. You are entitled to three times your actual damages under that act, if successful. You will first need to send a demand letter to Coinbase, which you should do anyway, to give Coinbase a chance to pay you off. You should be able to find plenty of forms for a demand letter online, which you may or may not need to modify to fit your situation. Google "DTPA demand letter".

I have 6 figures of bitcoin in a Coinbase account and made about $22,000 today on the spike (so far). It is protected by nothing other than a 4 digit passcode on my phone, and just my account password on the website. Stupid I know. I also have AT&T. So, this is somewhat concerning. Any clue how it might have happened? Doesn't seem like anyone on this thread has identified how it happened if your sim wasn't swapped.

2DA via SMS not secure.

heavily intoxtricated said:

---

I have 6 figures of bitcoin in a Coinbase account and made about $22,000 today on the spike (so far). It is protected by nothing other than a 4 digit passcode on my phone, and just my account password on the website. Stupid I know. I also have AT&T. So, this is somewhat concerning. Any clue how it might have happened? Doesn't seem like anyone on this thread has identified how it happened if your sim wasn't swapped.

---

I believe passkey is the new safest option, but at least move to authenticator based 2FA.

You really should move your coins to cold storage though unless you're actively trading.

SMS is not a good 2FA method. Sim swapping can happen, and it can be lucrative enough that insiders at providers will do it.

Use an OTP authenticator. Google Authenticator is the one you commonly see referenced, I prefer to use Authy. A hardware key is better, like Yubikey. Realistically though, you should have your crypto in cold storage, or at least in your own wallet where you control the keys for it. You should only have what you're actively trading on the exchanges.

If you have t-mobile you can turn on an addon for each line for free in your account portal that blocks attempted takeovers. They introduced it after that first mainstream sim swap attack that hit a bunch of t-mobile customers.

People still use Hotmail??

Unfortunately. I spent the entire day yesterday changing all passwords to everything and moving all accounts to my gmail. It was a pain in the arse.

I should be back in my Coinbase account today and then I am going to raise hell with them.

heavily intoxtricated said:

---

I have 6 figures of bitcoin in a Coinbase account and made about $22,000 today on the spike (so far). It is protected by nothing other than a 4 digit passcode on my phone, and just my account password on the website. Stupid I know. I also have AT&T. So, this is somewhat concerning. Any clue how it might have happened? Doesn't seem like anyone on this thread has identified how it happened if your sim wasn't swapped.

---

All the exchanges have issues. Compounded by the fact that crypto users skew younger, and younger people can be riskier online with security. Then you have the media who loves to **** on crypto to get the pro and anti crypto people riled up who jumps on every one of these stories, while you never hear similar stories about people's trading accounts getting similarly exposed.

Highly recommend getting a cold wallet and getting your coins off an exchange.

Did you have MFA on your Hotmail account?

Email accounts should always have strong passwords that are unique to everything else as well. Email is keys to the kingdom, so critical to protect them like nothing else.

so you think younger folks are easier to hack that the grandparents who use "password" for their password? sounds like a stretch.

Coinbase and the like are hacked because, once inside someones account, you can easily/instantly transfer all their assets to an external wallet.

Not nearly as quick and easy to drain a brokerage account.

Cold wallet is definitely good advice. I was just lamenting having my BTC on ledger because I wanted to put in a limit order on this spike. Not feeling so bad about that now.

I can't stress enough to get your investments on a cold storage of some kind. I have one, just never got around to it. And thought Coinbase with 2FA was secure enough. I guess I was wrong.

And yes, it all started with my hotmail. Someone stole our netflix account 2 weeks ago too. Tried to log in and it was gone. Called them and they said it is always a hotmail email that this happens to. He said they hijack them and sell them. They were able to get my account back but had to move it to my gmail.

ac04 said:

---

Diggity said:

---

so you think younger folks are easier to hack that the grandparents who use "password" for their password? sounds like a stretch.

---

it seems counterintuitive, but deloitte found that gen Z is 3x more likely to fall for an online scam than boomers. i think the theory is that they are just way more comfortable with tech and thus a lot less vigilant about security.

https://www.dailymail.co.uk/yourmoney/consumer/article-12558905/gen-z-online-scam-boomer-grandparents-study.html

anyway, the lesson here is to get your coins off exchanges. for numerous reasons.

---

Boomers have also lived a lot longer, have been exposed to scams for a lot longer, and perhaps are more wary as a result. A scam is a scam whether it's online or not.

And the use of "password" as a password is not confined to boomer grandparents, perhaps.

that is surprising, but explanation makes sense.

I still maintain traditional brokerages are a lot safer place (from a scammer perspective) than sites like Coinbase. Not a media conspiracy.

Three words: sketchy porno sites

but those are the good ones LOL

ac04 said:

---

Diggity said:

---

so you think younger folks are easier to hack that the grandparents who use "password" for their password? sounds like a stretch.

---

it seems counterintuitive, but deloitte found that gen Z is 3x more likely to fall for an online scam than boomers. i think the theory is that they are just way more comfortable with tech and thus a lot less vigilant about security.

https://www.dailymail.co.uk/yourmoney/consumer/article-12558905/gen-z-online-scam-boomer-grandparents-study.html

anyway, the lesson here is to get your coins off exchanges. for numerous reasons.

---

I imagine the reduced attention span for Gen Z also comes into play there. Plus most online services, and subsequently most scams, are now geared towards taking advantage of that reduced attention span