Earlier this month, BleepingComputer reported a massive issue affecting Coinbase customers: failed login attempts with incorrect passwords were mistakenly recorded as two-factor authentication failures in the Account Activity logs.
In other words, in an attacker attempted to access someone’s account with an incorrect password, error messages stating “second_factor_failure” or “2-step verification failed” were displayed.
In fact, such records indicate that the attacker has entered the correct username and password, but the login attempt was blocked by 2FA (e.g. after incorrectly entering a one-time code from an authenticator app).
As a result, many Coinbase customers concluded that the exchange itself was compromised because they used unique passwords, found no traces of malware on their devices, and other accounts weren’t affected. Some people even reset all their passwords multiple times and spent hours trying to determine whether their devices had been hacked.
Coinbase representatives explained to BleepingComputer that the Coinbase logging system was incorrectly attributing login attempts with incorrect passwords as “2FA failures,” even though the attackers hadn’t actually reached the 2FA stage.
This week, Coinbase released an update fixing this error, and now failed attempts to login into an account result in a correct message: “Password attempt failed”.
According to BleepingComputer, this fix is very important since attackers often use social engineering against Coinbase customers to gain access to their accounts and steal cryptocurrency. Furthermore, cybercriminals use mislabeled records in Account Activity logs to make victims think that their credentials were compromised. However, it wasn’t possible to verify such claims.
In the past Coinbase has repeatedly stated that it will never call or send text messages to its customers requesting them to change their passwords or reset two-factor authentication. Such messages should be treated as nothing but scam.
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →