Coinbase erroneously reported 2FA changes to 125,000 customers

Enlarge / On Friday afternoon, Coinbase sent email and SMS text messages to 125,000 customers, erroneously telling them that their 2FA settings had been changed.

Cryptocurrency exchange Coinbase sent an automated message to a large number of its customers on Friday, saying “your 2-step verification settings have been changed.” Unfortunately, the message was sent in error—by Coinbase’s count, 125,000 of those messages were sent (via email and SMS text) to customers whose 2FA settings had not changed.

According to Coinbase’s own acknowledgment Saturday, its system began sending the erroneous messages at 1:45PM Pacific time on Friday, and kept sending them until the error was mitigated at 3:07PM.

In that Twitter thread, Coinbase acknowledges the mistaken 2FA messages’ potential for confusion—confusion which retiree Don Pirtle told CNBC led him to panic-sell more than $60,000 of cryptocurrency. Pirtle was holding this large wallet as an investment for his grandson, so the panicked sale may have been as much blessing as curse—he now questions whether cryptocurrency was a safe investment in the first place.

Coinbase says that the erroneous 2FA messages were the result of an internal error, not hacker activity. “All of a sudden, the system just started sending stuff like a bug in the system,” Coinbase spokesperson Andrew Schmitt told CNBC, adding “but it was not a malicious or third party error.”

Building trust and security?

Although Coinbase tweeted its “laser [focus] on building trust and security into the crypto community,” panic among its affected customer base is understandable. In addition to a general history of hacked crypto exchanges—including Bitfloor, Mt. Gox, Bitfinex, CoinCheck, QuadrigaCX (technically not a hack), and KuCoin—Coinbase itself has a bad reputation for its response to customers who have been hacked individually.

Most large financial institutions carry cyber fraud insurance policies, and will cover hacked checkings or savings accounts. “If you are victimized through cybertheft by no fault of your own, most large banks will make you whole,” CFA Greg McBride told USA Today.

The same is not true of Coinbase, which recently told one hacked customer that “there is no credible or supportable evidence that the compromise of your login credentials was the fault of Coinbase. As a result, Coinbase is unable to reimburse you for your alleged losses.”

In addition to a strict “your hack is your problem” policy, Coinbase has been repeatedly accused of extremely slow response to serious customer problems. The Twitter thread in which it announced the erroneous messages quickly devolved into users complaining of poor customer service regarding wallets which had been locked for weeks or months.