Full Report
Coinbase has fixed a confusing bug in its account activity logs that caused users to think their credentials were compromised. [...]
Analysis Summary
# Incident Report: Coinbase MFA Log Misattribution Issue
## Executive Summary
Coinbase experienced a logging error where failed login attempts due to incorrect passwords were incorrectly recorded in user account activity logs as "2-step verification failed." This technical error caused significant user panic, leading many to believe their accounts had been compromised despite unique passwords and no signs of malware. Coinbase has since corrected the logging issue and is reinforcing user awareness regarding social engineering tactics.
## Incident Details
- Discovery Date: Not explicitly stated (Implied concurrent with user reports)
- Incident Date: Pre-fix deployment date (affecting log generation)
- Affected Organization: Coinbase
- Sector: Financial Technology (Cryptocurrency Exchange)
- Geography: Global (as Coinbase is a global service)
## Timeline of Events
### Initial Access
- Date/Time: Undetermined (Began when the logging bug was introduced)
- Vector: Not an external attack vector; this was an internal system logging misconfiguration.
- Details: Threat actors attempting unauthorized access entered incorrect passwords.
### Lateral Movement
- N/A - This was a logging error, not a compromise leading to network movement.
### Data Exfiltration/Impact
- Impact: User confusion, panic, unnecessary password resets, and hours wasted investigating potential compromises. Potential for exploitation via social engineering exploiting the misleading log data.
### Detection & Response
- Detection: Numerous Coinbase users contacted BleepingComputer reporting suspicious "second\_factor\_failure" logs despite having unique passwords and no other signs of compromise.
- Response Actions: Coinbase confirmed the logging issue, pushed an update to correct the log labeling, ensuring subsequent failed logins show "Password attempt failed."
## Attack Methodology
- Initial Access: N/A (Internal system bug)
- Persistence: N/A
- Privilege Escalation: N/A
- Defense Evasion: N/A
- Credential Access: Attempted by threat actors using brute-force or compromised credentials, but stopped before the 2FA stage.
- Discovery: N/A
- Lateral Movement: N/A
- Collection: N/A
- Exfiltration: N/A
- Impact: False positive security reporting leading to user distress and potential social engineering vector exploitation.
## Impact Assessment
- Financial: Unquantified costs related to user support and engineering time to resolve the bug and address user concerns (potentially including user security actions like mass password resets).
- Data Breach: No confirmed user data breach resulted from this specific logging issue.
- Operational: Significant temporary operational/trust impact due to widespread user alarm.
- Reputational: Negative short-term impact due to widespread user concerns over security integrity.
## Indicators of Compromise
- Network indicators: Undetermined (Attacks were blocked before 2FA). Actual IoCs related to underlying credential stuffing attempts were likely not fully visible to end-users.
- File indicators: None reported against user systems.
- Behavioral indicators: Users observing the log entry `"second_factor_failure"` or `"2-step verification failed"` when only incorrect passwords were used.
## Response Actions
- Containment: N/A (No malicious activity was contained; the issue was internal configuration).
- Eradication: Pushing a software update to fix the logging logic to correctly label password failures.
- Recovery: Restoring accurate user account activity logs to reflect actual security events.
## Lessons Learned
- Critical importance of accurate security logging: Misleading log entries can cause undue panic and lead users to take unnecessary security measures.
- Social Engineering Risk: Mislabeled security events can actively provide threat actors with plausible deniability or material to fuel highly convincing social engineering attacks (e.g., convincing users they *must* have been breached).
- User Communication: Coinbase proactively communicated with BleepingComputer to clarify the situation.
## Recommendations
- Implement rigorous pre-release testing for security-related logging functions, specifically focusing on failure paths and error message alignment with the actual security stage reached.
- Continuously educate users that Coinbase personnel will never initiate contact (SMS/call/email) requesting password changes or 2FA resets, to counter ongoing smishing and social engineering campaigns.