Bad actors were able to infiltrate the accounts of and steal cryptocurrency from around 6,000 Coinbase customers by exploiting a multi-factor authentication flaw, according to Bleeping Computer. The cryptocurrency exchange told the publication that its security team observed a large-scale phishing campaign targeting its users between April and early May 2021. Some users may have fallen victim to the malicious emails, giving hackers access to their usernames and passwords. Worse, even those who had multi-factor authentication switched on were compromised because of a flaw in the exchange’s system.

In the notification [PDF] it sent to affected customers, Coinbase said the bad actors took advantage of a vulnerability in its SMS Account Recovery process. That allowed the hackers to receive the two-factor token that was supposed to be sent via text to the account owner’s phone number. 

Coinbase recommends using two-factor with a security key on its website, followed by an authenticator app. It lists SMS authentication as a last resort, advising users to lock their mobile accounts to protect themselves from SIM swap scams or phone port frauds. Back in August, Coinbase also notified 125,000 users that their two-factor settings had changed, but the exchange said back then that the notification was sent by mistake and wasn’t the result of a hack.

In its letter to customers, Coinbase said it patched up its SMS Account Recovery protocols as soon as it learned about the issue. It’s also reimbursing everyone who’s lost cryptocurrency from the event. Those who were affected by the hack may want to make sure all their other accounts are secure, though, since it also exposed their names, addresses and other sensitive information when their accounts were infiltrated.