Crypto Exchange Coinbase Details SMS Phishing AttacksFirm Says Attack That Led to Employee Data Leak Is Tied to Twilio Hack
Cryptocurrency exchange firm Coinbase disclosed that a recent hacking attempt by the threat actors suspected of being behind the Twilio hack led to a minor leak of employee data.*
Coinbase on Friday revealed that the hacking campaign against the company began on Feb. 5 when its employees received SMS messages requesting that they urgently log into their official email accounts to receive an important message.
Although the majority of the workforce ignored the messages, the company says an unidentified employee clicked on the malicious link and entered his or her email ID and password on a fake login page. When the hackers gained the user's credentials, they attempted to get remote access to the Coinbase network, but due to two-factor authentication controls, they couldn't gain further access, the company says.
The hackers then directly contacted an employee, according to Coinbase, and claimed to be a Coinbase corporate IT staff member seeking help. But the Coinbase employee became suspicious, and when the SIEM alerted the incident response team to unusual behavior, the team notified the employee, who terminated all communication with the attackers, Coinbase says.
Although the company says it was able to prevent the attack quickly, it acknowledged the incident did cause limited leaks of employee data such as user names and contact details.
Based on the tactics displayed in the incident, Coinbase says the attack was likely carried out by the hackers behind a campaign that security intelligence firm Group-IB dubbed 0ktapus. The 0ktapus campaign attempted to steal two-factor authentication and credentials from identity and access management company Okta, communication service company Twilio and DDoS mitigation company Cloudflare.
According to Group-IB, the attacks against the companies were part of the same phishing campaign that used SMS links containing seemingly legitimate domain names to trick victims into entering their user credentials (see: Twilio Customer Data Breached via SMS Phishing of Employees).
*Correction Feb. 23, 2023 14:02 UTC: We incorrectly stated that a cloud security company was hacked by the same threat actor behind the Twilio hack. The threat actor did target the company and some employees did fall for the phishing messages. Cloudflare CEO Matthew Prince wrote in August 2022 that the phishing attacks did not succeed. "We were able to thwart the attack through our own use of Cloudflare One products, and physical security keys issued to every employee that are required to access all our applications," he wrote. We regret the error.