Twitter thread shows Coinbase’s servers may be compromised
A Coinbase user recently shared a Coinbase-related scam story indicating that the exchange’s servers might be compromised.
Jacob Canfield, a YouTube host and bitcoin enthusiast, claimed he received a text message about a changed two-factor authentication (2FA) setting on their Coinbase account. Shortly after, he got three phone calls from an individual claiming to be a Coinbase customer support representative.
The calls originated from a San Francisco number, adding to the illusion of legitimacy.
During the calls, the impersonator asked whether Canfield was traveling outside the US and whether he had requested changes to the email or 2FA settings. Although the trader denied travel plans and insisted he hadn’t initiated any changes, the scammer insisted on revealing the verification code.
The scammer also intended to redirect Canfield to a “security team” to verify the account and prevent suspension. The scammer possessed the user’s name, email address, and location to establish credibility. They even sent a fraudulent email from [email protected] to the user’s email containing a seemingly legitimate verification code.
Canfield immediately changed his Coinbase account password and 2FA settings. However, the scammer insisted those actions would not suffice for verification and threatened to lock the account for seven days unless the user provided the verification code. When Canfield refused, the scammer abruptly ended the call.
The incident raised concerns about a potential attack on Coinbase’s servers. In the replies, users shared similar stories involving the impersonators who claimed to be from the exchange’s support.
Moreover, another user reported a similar case on ChainAbuse in November 2022. According to the post, the amount lost was over 13 BTC (around $360,000).
In Canfield’s case, the hackers not only had his data, which would mean a data breach. They were also able to spoof the email as if it were from @coinbase.com which looks like an alleged hack. The domain and some less critical servers could probably be compromised.
Further tweets by Canfield show details concerning the email he received from the @coinbase.com domain. He explained that “it looks like the email is legit from coinbase and is automatically sent when you request a support ticket to verify your account.”
This suggests that the email was not spoofed as previously suggested by community members.
Canfield’s theory is that the hackers attempted a social engineering attack, “were on live chat or on a phone call with the actual coinbase support and” got requested a code for verification. He believes that if he did give them the code then the scammers would have gotten access to the account.
This is far from being a rare occurrence, with Canfield explaining that “there are about 30+ people that have been hit with the same scam and a few people that had their accounts drained.”
He also got contacted on his personal phone by a white hat hacker — who independently obtained his phone number — who explained to him what exposed him to the attack.
The hacker in question also sent Canfield an email with his personal data found in data breaches that affected him — including a 2022 Gemini data breach, MGM Resorts, Ledger and about 20 more.