Earlier this month, BleepingComputer reported a massive issue affecting Coinbase customers: failed login attempts with incorrect passwords were mistakenly recorded as two-factor authentication failures in the Account Activity logs.
In other words, in an attacker attempted to access someone’s account with an incorrect password, error messages stating “second_factor_failure” or “2-step verification failed” were displayed.
In fact, such records indicate that the attacker has entered the correct username and password, but the login attempt was blocked by 2FA (e.g. after incorrectly entering a one-time code from an authenticator app).
As a result, many Coinbase customers concluded that the exchange itself was compromised because they used unique passwords, found no traces of malware on their devices, and other accounts weren’t affected. Some people even reset all their passwords multiple times and spent hours trying to determine whether their devices had been hacked.
Coinbase representatives explained to BleepingComputer that the Coinbase logging system was incorrectly attributing login attempts with incorrect passwords as “2FA failures,” even though the attackers hadn’t actually reached the 2FA stage.
This week, Coinbase released an update fixing this error, and now failed attempts to login into an account result in a correct message: “Password attempt failed”.
According to BleepingComputer, this fix is very important since attackers often use social engineering against Coinbase customers to gain access to their accounts and steal cryptocurrency. Furthermore, cybercriminals use mislabeled records in Account Activity logs to make victims think that their credentials were compromised. However, it wasn’t possible to verify such claims.
In the past Coinbase has repeatedly stated that it will never call or send text messages to its customers requesting them to change their passwords or reset two-factor authentication. Such messages should be treated as nothing but scam.