In the linked PDF, Coinbase does not claim to have knowledge of a vulnerability in their system (edit: though it does note "the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process," I interpreted that as "we supported SMS account recovery at all" which is inherently broken [0]). The requisite two-factor bypass is detailed in the linked pdf:
> Even with the information described above, additional authentication is required in order to access your Coinbase account. However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account.
My guess is, because funds were stolen from users' accounts, the CA breach notification laws apply and this needed to be disclosed as such. However, that doesn't necessarily mean that Coinbase was technically "breached," only that customer accounts were compromised.
If the attacker controls your personal email associated with Coinbase, accompanying passwords, and phone number, and you use SMS 2FA, then your funds were stolen. Otherwise, they were safe. That's my reading of the article.
They also say "we updated our SMS Account Recovery protocols to prevent any further bypassing of that authentication process". What did they update if it wasn't due to a weakness on their side?
EDIT: on reading some of their docs, recovery is supposed to be followed by the user submitting ID documents etc before they get full access back - maybe that's the part they didn't do before or that could somehow be circumvented? (which is a flaw, but still requires intercepting the SMS to use?)
I bet that control of email address + SMS 2FA was sufficient, alone, to recover the Coinbase account password. Lots of systems permit this kind of recovery, and while I may tell a technical crowd "if you use SMS for 2FA, that's on you" less technical users may not have the requisite background to understand the security tradeoff they make in doing so.
The "flaw," in my reading of it, was to support SMS-based account recovery at all. But I'm not necessarily right here, and open to alternatives.
> Even with the information described above, additional authentication is required in order to access your Coinbase account. However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account.
My guess is, because funds were stolen from users' accounts, the CA breach notification laws apply and this needed to be disclosed as such. However, that doesn't necessarily mean that Coinbase was technically "breached," only that customer accounts were compromised.
If the attacker controls your personal email associated with Coinbase, accompanying passwords, and phone number, and you use SMS 2FA, then your funds were stolen. Otherwise, they were safe. That's my reading of the article.
[0]: https://krebsonsecurity.com/2019/08/who-owns-your-wireless-s...