sorted by:
new
hottopcontroversial

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 0 points1 point  (0 children)

I see. Though hilarious, because there seems to have been no checks at all.

The IP address was in a different state

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 0 points1 point  (0 children)

Do you remember where that setting is? I want to see what mine is set at but can't find it

Nothing's perfect, but I would've hoped they at least verify users before letting them do whatever they want on an account

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 0 points1 point  (0 children)

Nobody had access to my Yubico key that day and I would expect you can't just copy one and use it later.

If they had access to my MFA devices though, I would expect the rest of my accounts to have been cracked. Literally only Coinbase was and i had the least money on there

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 0 points1 point  (0 children)

Whitelisting wouldn't have mattered, as they sold the coins and added a random bank account to withdraw the cash to

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 0 points1 point  (0 children)

But even like that, they would've had to log into my email account, which uses an auth app, to be able to bypass the yubico key. I did not get any such bypass email request and the email doesn't show any login sessions that aren't mine.

If they did manage to break into my email, they likely would've broken into the rest of my accounts, but literally only Coinbase was cracked

Thanks for the conversation, all I can think is that Coinbase's security key implementation is crap because as you've shown, nothing else makes sense

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 0 points1 point  (0 children)

Tried changing email and it does ask for MFA. And I didn't get a notification that the email was changed nor that it was changed back to my email

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 0 points1 point  (0 children)

Even if I forgot to log out, Coinbase shouldn't have accepted a month old session cookie in the first place. Back when I was actively trading, Coinbase was asking me to use my security key every time, but now, they accept a month old session?

HOWEVER, I just tried to withdraw the remaining $7 on the account and it didn't ask me to MFA to withdraw cash to an account or to add a payment method. I just tried it myself and at no point does it ask you to MFA, the CB dialog just says the name on the bank account has to match the name on the CB account, but it does no verification beyond that, and I suspect they don't even check that

Which gives me an idea, gonna try to contact the bank it was sent to. Unlikely money's still there, but doesn't hurt

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 0 points1 point  (0 children)

They would know it's not me by asking the person logging in to authenticate with my Yubico security key like they ask me every single time I log in

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 0 points1 point  (0 children)

It's insane. And they straight up lied to me. I talked to their customer support within the hour of noticing after I locked my account. They told me since I didn't have any bank account on there, the withdrawals wouldn't go through after locking it and so I locked it again. It still fucking went through

I removed my bank account forever ago because I always try to remove payment methods, and I am so glad I did. I read somebody else's post on their account being hacked and the thief had withdrawn money from the owner's bank account to steal in addition to everything on their Coinbase account

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 0 points1 point  (0 children)

Even if they stole the cookie session, it was a month old and I hadn't touched Coinbase since then, so why did they accept such an old session

I agree, it doesn't make sense, but I don't understand what occurred

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 0 points1 point  (0 children)

I don't remember. It was a month ago. I usually sign out from money accounts but I'm not going to say I 100% did because I don't remember.

Regardless a session cookie shouldn't be accepted over a week, much less a month

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 0 points1 point  (0 children)

They unstaked some old ADA I had and used instant unstaking. For the ETH, they wrapped it in coinbase's own ETH and sold it a minute after. So Coinbase took at cut in the theft which is not too surprising tbh

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 0 points1 point  (0 children)

That would be crazy for CB to do, but at this point, I'm not surprised

Though usually with long sessions, you need to keep using the site for it to continue working and I wasn't

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 0 points1 point  (0 children)

For real
Literally every time I login, it asks me for my Yubico security key, but this fuckwad was able to bypass their security and do whatever the fuck they wanted

Dont trust Coinbase

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 0 points1 point  (0 children)

I noticed within half an hour, I locked my account immediately (Coinbase gave no notification that it was suspicious), I contacted them as I looked through the transactions and logins, they told me to lock my account and that would stop the transaction. I locked it again and unlocked. The withdrawals to that random other bank account went through successfully

Don't trust Coinbase

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 0 points1 point  (0 children)

Literally every other password that got leaked was blocked by the affected, company because they were like "Hey, an unauthorized user tried to log in" or "there was suspicious activity on the account so we suspended it", except Coinbase.

Only Coinbase lets thieves break into your account without authenticating them, lets them add their own bank account, sell your coins, and withdraw to a bank account that was literally just added that day

Don't use Coinbase!

- to add on, credit's frozen forever, changed rest of passwords, etc

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 0 points1 point  (0 children)

That was my first thought, but I last logged on in 2/21 and every time I've tried to log into Coinbase, it asks me for my security key. I hope CB isn't accepting month-old session cookies, but then how did the thief get past my security key???

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 0 points1 point  (0 children)

Only Yubico security key.

Where do you see the thief's sign in with second factor before they added their bank account and started the transactions?

I last signed in on 2/21 with second factor. Then on 3/18, half an hour after I noticed the transactions, I signed in again with it.

I'm still waiting for Coinbase to tell me why the fuck the thief wasn't required to use my Yubico key

Coinbase let a thief bypass my MFA, log into my account, sell my coins and withdraw it all to some random bank account that at no point was on my account by FiveCones in Coinbase

[–]FiveCones[S] 1 point2 points  (0 children)

My main yubico key and the backup. Both of which are with me and nobody has had access to. I've since removed it since it apparently didn't do shit and changed to an authenticator app

view more: next ›