Coinbase STILL doesn't freeze user accounts for a token amount of time, 24 hours or so, after resetting a password‽

Part of the blame should be levied on Coinbase if this is the case.

(I'm assuming this guy at least uses unique passwords...)

Coinbase offers Vault though. You can lock your funds into a Vault and it takes like 2-3 days to unlock them + you have to get approval from multiple different email accounts to even begin the unlock.

Coinbase has many ways to secure your account if the user enables them

also physical Yubi Keys would prevent anyone from withdrawing or steals funds as it would have to be plugged in and tapped to process them.

▲

riffraff 5 days ago | parent | prev | next [-]

The attacker had the passwords and 2fa codes from the Google account so Coinbase couldn't really distinguish them from the right person (tho presumably for large transfers they may require some extra checks, dunno)

▲

RandomBacon 5 days ago | parent [-]

The article is poorly written and not clear. It sounds like you're suggesting the author let Chrome save his Coinbase password and Google synced that to the attacker as well?

> Google had cloud-synced my codes.

> That was the master key. Within minutes, he was inside my Coinbase account.

The author wrote "codes", not "passwords".

▲

sgerenser 4 days ago | parent [-]

The author clarified that he had enabled Sign in with Google on his Coinbase account. So if the attacker was logged in with his Google account, then they had access to his Coinbase account without needing a password.

	▲	RandomBacon 4 days ago \| parent [-]
		Isn't "Sign in with ______" (Google/Facebook/Etc) discouraged, because if for whatever reason Google/Facebook/Etc decides to ban your account, you can no longer log in to those services?

▲

Havoc 5 days ago | parent | prev [-]

I believe you can lock it to specific outgoing addresses though & ones not on the list have a long delay - like a week