Coinbase Moves to Calm Security Concerns Amid Theft Reports

Coinbase has issued a blog post in response to reports that its users are being targeted by phishing attacks.

AccessTimeIconFeb 7, 2014 at 9:10 p.m. UTC
Updated Sep 3, 2021 at 9:48 a.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Andreessen Horowitz-backed bitcoin wallet provider Coinbase confirmed via a company blog post on 7th February that "a small handful" of its customers have fallen victim to phishing attacks.

The reports of bitcoin wallet security vulnerabilities, however small, have nonetheless reverberated widely in an industry that is being increasingly cast in a shroud of uncertainty by the mainstream media.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • A separate account of the incidents by online news source The Verge paints a very different picture of the situation, suggesting that the thefts, while in some cases the fault of Coinbase's users, were sizable and perhaps more frequent than has been reported.

    The Verge confirmed what it called "a string of Bitcoin thefts that have hit the service in recent weeks".

    In its piece, it profiled the story of a Coinbase user named Jeff, who lost 10.6 BTC in bitcoins due to theft this December. What's most unique about Jeff's story, however, is that one month later, his refunded money was stolen from the service yet again.

    The media outlet revealed that it has confirmed two separate thefts occurred to users on the service in addition to Jeff's multiple thefts, for amounts of $16,000 and $5,000, respectively.

    The sum total of the thefts, as noted by the piece, is roughly $40,000.

    The extent of the attacks

    The security firm FireEye told the Verge that it believes it is unlikely that Coinbase suffered a system-wide vulnerability, and that instead, each individual victim was compromised in isolation.

    However, it suggested that Coinbase's "unusually powerful" API may have been a factor:

    "The right API key will let any program move bitcoins in and out of a given accounts. Once the key is compromised, attackers can even access linked bank accounts to purchase more bitcoins. Users are advised not to authorize the API key if they don't need it, but if an account has been compromised, hackers may decide to authorize it themselves."

    FireEye did suggest that the company itself does not seem responsible for the attacks, which were not aimed at its infrastructure. Further, it suggested that Coinbase's user agreement clearly states that individuals are responsible for the safety of their private keys.

    By using the wallet provider's two-factor authentication, the report suggested, Jeff could have prevented the loss of his API key, which once his account was compromised may have been reactivated by the hackers.

    Coinbase reacts

    The San Francisco-based company downplayed the thefts, stating that "phishing is unfortunately common across the Internet", and noting that it affects banking institutions, payment processors and retailers in the traditional financial system as well.

    Further, the company indicated that, because of the concern over phishing attacks, it has implemented enhanced security measures, that when used with best practices for web surfing, can help limit these occurrences:

    "We’ve implemented a number of increased security measures, including expanded two-factor authentication measures designed to help lessen the likelihood of successful phishing incidents in the future. We’ve also added an email verification step for key actions, such as when an API key is enabled."

    Coinbase representatives declined further requests for comment, stating that the blog post represented their official position on the attacks.

    Image credit: Digital key via Shutterstock

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.