On February 5, 2023, Coinbase, a popular cryptocurrency exchange platform, experienced a cybersecurity attack that targeted its employees. The company said its "cyber controls prevented the attacker from gaining direct system access and prevented any loss of funds or compromise of customer information."
The incident resulted in the exposure of a "limited amount of data" from its directory, including employee names, e-mail addresses, and some phone numbers. As part of the attack, several employees were targeted in an SMS phishing campaign urging them to sign in to their company accounts to read an important message.
One employee is said to have fallen for the scam, who entered their username and password in a fake login page set up by the threat actors to harvest the credentials. "After 'logging in,' the employee is prompted to disregard the message and thanked for complying," the company said. "What happened next was that the attacker [...] made repeated attempts to gain remote access to Coinbase." These attempts to log in to the systems using the captured credentials proved to be unsuccessful owing to the multi-factor authentication protections that were enabled for the account.
Undeterred, the threat actor called the employee claiming to be from the Coinbase corporate Information Technology (IT) team and directed the individual to log into their workstation and follow a set of instructions. The employee followed the instructions, which allowed the attacker to gain access to the company's systems. Coinbase is investigating the incident and has notified law enforcement.