The cryptocurrency exchange Coinbase has confirmed that the same hackers who attacked Twilio, Cloudflare, DoorDash, and more than a hundred other companies last year briefly compromised their systems.
Coinbase claimed in a post-mortem on the incident that the so-called “0ktapus” hackers stole one of its employees’ login information in an effort to remotely access the business’s systems.
In 2022, the hacking collective known as 0ktapus targeted more than 130 organizations as part of a continuous campaign to steal the login information for thousands of employees, frequently by impersonating Okta log-in pages. Given that the gang is allegedly now targeting several tech and video game companies, the 130 organizations figure is most likely much higher than it once was.
The 0ktapus hackers in the case of Coinbase initially sent spoof SMS text messages to a number of employees on February 5 informing them that they needed to log in immediately using the provided link in order to receive a crucial message. One worker entered their credentials after clicking the phishing link. The attacker then attempted to use the stolen credentials to log into Coinbase’s internal systems, but was unable to do so because access was multi-factor authenticated.
About 20 minutes later, the attacker called the worker on the Coinbase IT team using voice phishing, or “vishing,” and instructed them to log into their workstation. This gave the attacker access to the names, email addresses, and phone numbers of the employees.
According to a Coinbase spokesperson, Jaclyn Sales, “a threat actor was able to view the dashboard of a small number of internal Coinbase communication tools and access a limited amount of employee contact information.” “The threat actor was able to view specific views of internal dashboards through a screen share and accessed limited employee contact information.”
Coinbase claims that by acting swiftly, its security team stopped the threat accessor from gaining access to customer information or money. Sales continued, “Our security team was able to quickly identify unusual activity and block any additional access to internal sycoinbasestems or data.
Coinbase claimed that no customer information was accessed, but the company’s chief information security officer, Jeff Lunglhofer, advised users to switch to hardware security keys for more secure account access. He did not specify whether hardware keys—which cannot be phished—are used internally, however.