Coinbase says hackers bribed staff to steal customer data, demanding $20M ransom

(www.cnbc.com)

410 points gpi | 2 comments | 15 May 25 15:52 UTC | HN request time: 0.416s | source

Show context

thepasswordis ◴[15 May 25 16:40 UTC] No.43996769[source]▶

The problem is that it seems like the data that leaked is also the data that would be used to do account recovery.

And what that means is that

1) If you lose access to your account (through either your own fault, or coinbases fault) that the process of recovering it may not be so straightforward anymore.

2) Hackers can try to “recover” accounts now using this leaked info.

This is a huge problem. What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)

The only solution here is: hardware 2 factor like yubikeys.

replies(9): >>43996798 #>>43998374 #>>43998426 #>>43999299 #>>43999324 #>>43999430 #>>43999499 #>>43999782 #>>44001348 #

1. whoopdedo ◴[15 May 25 21:28 UTC] No.43999499[source]▶

>>43996769 #

If you ever sent money to or from a wallet you control, I'd think a reliable recovery factor would be to use that key to sign a message that Coinbase can verify with the address in their records. Cryptocurrency after all is just another PKI.

replies(1): >>44003005 #

2. whoopdedo ◴[16 May 25 08:26 UTC] No.44003005[source]▶

>>43999499 (TP) #

And dumb-dumb me just realized how trivial that would be to break. Social engineer someone into sending/receiving money to/from your wallet then pretend to be them requesting an account recovery.

Coinbase would have to make you sign a challenge ahead of time that would mark the wallet as the authorized public key for your account.

↑