Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think this reflects very favorably on Coinbase. They're making everyone whole, and gosh - the attackers had the user's usernames, passwords and phone numbers. Hard not to be sympathetic to Coinbase in that scenario. How are they supposed to know those aren't the real users? Consider that if they are going to identify those cases as fraudulent actors, then they could easily lock-out legitimate users as well.

I'll guess the users had the same usernames and passwords that they've used for a hundred other sites, and one of those got breached at some point. Don't do that!



I'm skeptical of their breach notification for the following reasons...

If they were certain this was PURELY a phishing campaign against their users, then they had no need to disclose to the government.

Their wording in their disclosure is very very carefully crafted to not deny a breach of their data - pending "conclusive" evidence.

They made a choice to disclose so that the gov't could never claim that they failed to disclose should Coinbase data appear on a darknet website.

And While they make an allusion to social media data collection - I was a target in June, and I absolutely had ZERO social media talking about using coinbase. There is NO WAY hackers could have deduced on social media that I was Coinbase user, nor gotten my cell phone number.

I am 90% confident that Coinbase WAS breached directly, allowing hackers to gain access to email and phone number for my account.

This disclosure is 100% CYA.


This disclosure says that everyone who was hacked had their email inbox hacked. So you're saying that someone hacked Coinbase to find your email address, then once they found your address, hacked your email inbox some other way, then used that to hack Coinbase? That sounds very roundabout, although I guess not impossible. I guess it's possible Coinbase could have some info leak somewhere that would leak your email address.

Did you ever use any other cryptocurrency website? If so, one of those could have been hacked in order for the hackers to get a list of users to target.


There is a big difference between hacking a Coinbase client contact database, and hacking THE Coinbase account database.

The thing that might have been hacked could have easily been a CRM or email marketing system - possibly even via some 3rd party supplier.

Obviously there was no hack of the Coinbase accounting system - for the reasons you mentioned.


username and phone is not security factor.

password is 1FA.

SMS is 2FA (not a great one, but still). Coinbase failed at 2FA. 2FA is critically important; that's why it exists.


The attackers also needed to know the user's phone number and have access to their email account. That is a sufficiently high bar that I can still be sympathetic to Coinbase here.

Not sure why you discount username and phone either. Each of these is an additional layer of security simply by being more information an attacker needs to collect and associate. Coinbase doesn't publish a list of usernames. And how would someone associate phone numbers back to them?


You can easily check databases on and off the darknet to find people's phone numbers and most people don't have multiple phone numbers and rarely change their number because of the associated hassle with moving accounts. The same goes for their email and even passwords if they reused them.


For example https://truepeoplesearch.com will give you name, address, and phone number for free and it is searchable.

It’s unfortunate how much is out there.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: