Coinbase Faces Class Action Over Alleged Security LapsesProposed Class Action Accuses Coinbase of Poor Security and Worse Customer Service
Coinbase faces a putative class action lawsuit alleging the cryptocurrency trading platform fails to protect customer accounts from being "fleeced by hackers."
See Also: 2022 Unit 42 Incident Response Report
Plaintiff Manish Aggarwal says the largest cryptocurrency platform by trading volume in the United States failed to prevent hackers from draining $200,000 from his account despite having turned on multifactor authentication. His complaint filed in the Northern District of California also details a days-long saga to reach a human representative after running into difficulties logging onto his account.
Coinbase “does a poor job of protecting its user accounts from unlawful intrusion and thievery” and “an even worse job" of helping customers with post-breach security, the complaint alleges. Ordinary account holders are left "to navigate a faceless and impenetrable automated 'customer service' process that leads nowhere."
The lawsuit seeks class action status on behalf of all Coinbase customers who had funds stolen from their account since April 1, 2021. Plaintiff attorneys demand damages, including treble damages for alleged violations of the Electronic Funds Transfer Act.
The publicly-traded crypto trading platform acknowledged an early 2021 cyberattack that allowed attackers to steal an undisclosed amount from more than 6,000 users targeted by a large-scale email phishing attack. In its most recent quarterly securities filing, the company says it has 103 million verified users and facilitated $526 billion worth of trading volume during the first half of 2022.
Aggarwal says he doesn't believe himself to be the victim of a phishing attack that would allow a third party to gain access to the multifactor authentication codes generated via Google Authenticator he activated at Coinbase's behest.
"The only explanation for how Plaintiff’s account was emptied is that a third party - either a hacker or Coinbase employee - was able to see Plaintiff’s Google Authenticator Code on Coinbase’s system because Coinbase did not take sufficient care to prevent access to that information." Whatever security updates the company made following the 2021 attack weren't sufficient to prevent hackers from continuing to drain customer wallets, the lawsuit says.
As a financial institution holding billions of dollars of consumer funds, Coinbase is obligated to restore stolen consumer funds by the Electronic Funds Transfer Act, the lawsuit says. Coinbase acknowledged it must deploy "bank-level security standards" in a Securities and Exchange Commission filing, the lawsuit notes.
"Coinbase cannot shed those duties through buried disclaimer language on its website and should be required to make Plaintiff and all similarly situated consumers whole for their losses," it says.
The company also faces a separate proposed class action filed in the Northern District of Georgia from a plaintiff making similar allegations. In that lawsuit, plaintiff George Kattula says he lost $6,000 worth of cryptocurrency due to the platform's security lapses.
In September, a system error led Coinbase sending out false automated security alerts to about 125,000 customers late last week indicating their 2FA settings had been changed, while in February, a "market-nuking" API bug halted new trading orders on the platform.