The cryptocurrency exchange Coinbase has admitted that it was affected by the same hackers who attacked Twilio, Cloudflare, DoorDash and more than 100 other companies last year.
In a postmortem of the incident, published this weekend Coinbase stated that”0ktapus” or “0ktapus” hackers took the passwords of one of the employees to try to gain remote access into the systems of Coinbase.
0ktapus was a hacking organization that was able to target more than 130 companies in 2022 in an ongoing attempt to obtain the credentials of thousands of employees typically through impersonating Okta login pages. The number of 130 companies is likely to be more, given that an unreleased CrowdStrike report uncovered by TechCrunch states that the gang is attacking a variety of video and tech game businesses.
In the instance of Coinbase the hackers from 0ktapus first sent fake SMS messages to various staff members on the 5th of February informing them that they must log in urgently by via the link provided in order to receive an important email. A user followed the link to phishing and entered their login credentials. The next step was the attacker attempted to log in to Coinbase’s internal systems with the stolen credentials, but they failed because access was protected by multi-factor authentication.
Within 20 minutes after that, the attacker employed the technique of voice phishing, known as “vishing,” to call the person claiming to be part of an employee of the Coinbase IT team, and requested that the victim connects to their computer. This enabled the attacker to see employee details such as names as well as email addresses, and telephone numbers.
“An attacker was able to access the dashboard of a limited amount inside Coinbase communication tools, and gain access to only limited contact information for employees,” Coinbase spokesperson Jaclyn Sales said to TechCrunch. “The attacker was also able to view through a screen-sharing service some of the internal dashboards and gain access to restricted employee contact information.”
But, Coinbase claims that its security department acted quickly to stop the attacker from accessing customer information or money. “Our security department was able of detecting suspicious activity swiftly and block any further access to information or systems within the company” Sales added.
Coinbase claimed that no customer information was compromised, however, the chief information security officer Jeff Lunglhofer said he would recommend that users switch to security keys that are hardware-based for more secure account access. However, the company did not specify whether Coinbase utilizes hardware keys internally which are not punishable.