Coinbase says a threat actor stole cryptocurrency from 6,000 customers between March and May 20 using a vulnerability in its SMS multi-factor authentication (March May Smsabramsbleepingcomputer)

March May Smsabramsbleepingcomputer: A cryptocurrency exchange confirmed on Wednesday, June 14th that a threat actor stole the equivalent of $8.7 million in its native cryptocurrency, Bitcoin Cash (BCH), between March and early May by using a vulnerability in its SMS multi-factor authentication service.

Coinbase said another attack like the one experienced this month would be unlikely to happen again as it has repaired the vulnerability and will be rolling out two-factor authentication to all SMS users on all Coinbase products by July 20th.

“We recently learned that an attacker stole cryptocurrency from 6,000 customers between March and early May 2018 by exploiting a vulnerability in our SMS multi-factor authentication (MFA) system,” the exchange said in a report published yesterday.

“Following our discovery, we immediately addressed the vulnerability and began notifying our customers. We promptly reimbursed them for any loss they incurred. We continue to work with them to ensure that they were made whole for the inconvenience.”

The exchange added that its investigation of the incident remains ongoing.

Coinbase is a US cryptocurrency exchange with headquarters in San Francisco, California, and is one of the largest platforms for trading bitcoin, ether, and litecoin (the former two being native cryptocurrencies of the ethereum network). The firm currently has over 20 million customers based in 32 countries around the world.

BCH theft: what is MFA?

SMS multi-factor authentication is a security feature that requires users to enter a passcode and also receive a text message with an extra code sent to their phones. The extra code is sent as an SMS or USSD code when the user logs on. After the second code has been verified, they will be logged in without having to rely on their passwords and data entered when logging on, which makes it safer than using passwords alone.

It is an effective security method that was first introduced by Google in 2005 and made the company’s log-in service more secure. It has since become a standard feature for many mobile services.

However, the feature could leave users open to attack if their phones can be hacked via SMS messages that “spoof” a legitimate response. In this case, the SMS service provider could also be a target if it is compromised by a threat actor.

Coinbase said threat actors used this vulnerability to compromise its SMS services in March. The attackers sent texts to its customers that included a link with a malicious website. If clicked on, the malicious site would have the user log in and then capture their username, password, and two-factor authentication code.

The attacker would then have full access to the account and could transfer funds out of it into another wallet at will.

The exchange said that it learned of the incident as soon as it happened. It insisted that all customers would have been reimbursed in full and no less than $8.7 million in cryptocurrency was stolen.

“We began working with law enforcement to investigate the incident, and we continue to work with them to ensure that justice is served,” Coinbase said. “Although we do not yet know who was behind this attack, the nature of the vulnerability and criminals’ desire for cryptocurrency make a strong case for attribution.