Coinbase — SMS 2FA recovery bypass

What happened

Between March and May 2020, attackers successfully took over approximately 6,000 Coinbase customer accounts and transferred the cryptocurrency holdings in those accounts to addresses under attacker control. Coinbase detected the campaign and fixed the underlying vulnerability during this period, but did not notify the affected customers until October 2021 — more than a year after the breach occurred. The notification was sent directly to affected users and also filed with the California Attorney General’s office, as required under California data-breach notification law.

The notification disclosed two facts that together describe the attack chain. First, all 6,000 affected customers had their Coinbase email addresses and passwords already known to the attackers prior to the Coinbase intrusion. These credentials had been obtained from separate data breaches at other services — a consequence of credential reuse by the customers, who had used the same email and password on Coinbase that they had used at a previously-breached site. Second, the attackers exploited a specific flaw in Coinbase’s multi-step authentication process for account recovery via SMS, which allowed them to obtain the SMS verification code needed to complete the recovery and bypass the customer’s two-factor authentication without actually controlling the customer’s phone.

Coinbase fixed the SMS recovery flaw during the campaign. All 6,000 affected customers received full reimbursement for their stolen funds. No figure for the total value of cryptocurrency stolen was publicly disclosed in Coinbase’s notifications, though given the 6,000 account count and the cryptocurrency prices prevailing during March–May 2020, industry estimates suggested the aggregate was in the tens of millions of dollars.

How it worked

The attack proceeded in three distinct phases: credential acquisition from third-party breaches, identification of valid Coinbase accounts, and exploitation of the SMS recovery flaw.

The attackers had access to large datasets of email-and-password pairs obtained from previous breaches at other services — a commodity available for purchase on criminal markets. They used these datasets to conduct credential stuffing against Coinbase: automated attempts to log in using the stolen credentials. When a login attempt succeeded with Coinbase’s email-and-password form, the attacker had identified an account where the owner reused their credentials. Because Coinbase required two-factor authentication (2FA) for login, a successful credential-stuffing attempt alone was insufficient — the attacker still needed to pass the 2FA requirement.

The second phase — the vulnerability that made the attack possible — was in Coinbase’s account recovery flow. Coinbase, like most consumer platforms, offered an account recovery path for customers who had lost access to their 2FA method. This path used SMS verification: Coinbase would send a code to the phone number on the account, and the customer would enter it to complete recovery. The flaw was in how Coinbase’s recovery system verified that the SMS code was being submitted by a party who actually controlled the destination phone number. The specific technical nature of the flaw was not publicly disclosed by Coinbase, but its functional effect was that an attacker who had the account’s email and password could trigger the SMS recovery flow and complete it without possessing the actual SIM — exploiting either a weakness in the telephony integration, a logic flaw in the multi-step form, or a combination.

The third phase was the theft itself: once inside the recovered account, the attacker initiated transfers of all available cryptocurrency balances to externally-controlled wallets. Cryptocurrency transfers, once confirmed on-chain, are irreversible; the window for recovery is zero once the transaction is broadcast.

The credential-reuse dependency is worth noting. Every one of the 6,000 affected customers had used the same credentials at Coinbase and at a previously-breached service. None of them would have been affected if they had used a unique password for their Coinbase account. The SMS flaw was necessary but not sufficient — the attack required knowing the victim’s valid Coinbase credentials first.

Timeline

• Before March 2020 — Attackers obtain large credential datasets from third-party breaches; identify valid Coinbase email/password combinations through credential stuffing.
• March – May 2020 — Attackers exploit the SMS account-recovery flaw to complete 2FA bypass on approximately 6,000 accounts; cryptocurrency transferred to attacker-controlled wallets.
• May 2020 — Coinbase identifies and patches the SMS recovery vulnerability; campaign ends.
• October 2021 — Coinbase notifies approximately 6,000 affected customers and files notice with the California Attorney General; commits to full reimbursement.
• October 2021 (ongoing) — Reimbursements completed; incident drives broader industry and media discussion of SMS 2FA security.

What defenders should learn

The most direct lesson from the Coinbase breach is that SMS-based two-factor authentication is not an adequate security control for accounts with significant financial value. Phone numbers can be hijacked via SIM-swapping. SMS recovery flows have consistently proven vulnerable to social engineering of carrier customer-service staff. And as the Coinbase incident demonstrates, implementation flaws in SMS-based recovery can allow attackers to bypass SMS verification entirely without touching the physical SIM. The combination of these weaknesses makes SMS 2FA reliable enough to block casual account access but inadequate against motivated attackers targeting high-value accounts.

The alternative controls are available and increasingly standard: TOTP authenticator apps (Google Authenticator, Authy) are not susceptible to SIM-swap attacks because the code is generated locally, not sent over the telephone network. FIDO2 hardware security keys (YubiKeys and equivalents) are the strongest available second factor because they resist phishing and cannot be remotely compromised. Financial platforms holding significant user assets — exchanges, wallets, brokerages — should default new accounts to authenticator-app 2FA and actively migrate customers off SMS-only configurations.

The credential-reuse dependency is the second lesson, and it is one that falls partly on users and partly on platforms. Platforms can mitigate credential-stuffing exposure by implementing rate limiting on authentication attempts, requiring CAPTCHA or device-fingerprint checks on unusual login patterns, and integrating with breach-monitoring services (such as Have I Been Pwned) to alert users whose email addresses appear in known breach datasets. These controls do not eliminate the risk — credential stuffing is a high-volume, automated attack that can be scaled to probe millions of accounts — but they significantly raise the cost per successful compromise.

The notification delay is worth noting as a transparency issue distinct from the technical failure. The breach occurred in early 2020; customers were notified in October 2021 — at least 18 months later. US state breach-notification laws (including California’s, under which Coinbase filed) generally require notification “in the most expedient time possible,” which courts and regulators have typically interpreted as within 30 to 90 days of discovery. A 15-plus-month gap between breach and notification is at minimum a compliance concern and at most an indication that either the breach was not identified promptly or the notification decision was delayed for reasons unrelated to the investigation’s completion.