Coinbase vowed to reimburse at least 6,000 of its users who lost funds due to a hacking campaign to gain unauthorized access to the accounts and a flaw in its SMS account recovery process.
The Nasdaq-listed cryptocurrency exchange said it would be depositing funds into its users' accounts equal to the value taken.
It added that some customers have already been reimbursed.
Coinbase reportedly informed over 6,000 customers of the incident that happened between March and May 20, 2021, through a letter, a copy of which is posted on the website of California’s Attorney General.
To access a Coinbase user account, the hackers needed to know the email addresses, passwords, and account-linked phone numbers, as well as personal email access.
According to Coinbase, such a campaign typically involves phishing attacks or other social engineering techniques to trick users into unknowingly disclosing login credentials.
Coinbase added that the hacker took advantage of a flaw in Coinbase’s SMS Account Recovery process to receive an SMS two-factor authentication token and gain access to the accounts.
The exchange noted that the hackers transferred the funds to crypto wallets unassociated with Coinbase.
Coinbase is conducting an internal investigation into the incident and is working closely with law enforcement to identify the hackers.
Nonetheless, Coinbase insisted there they have not found evidence that the hackers obtained user information from those connected with Coinbase.