Coinbase has confirmed that over 69,000 users were affected by a security incident tied to a third-party multifactor authentication (MFA) provider, underscoring the evolving sophistication of identity-based attacks.
Continue reading to understand how the attack happened and gain insights into how UEBA can combat similar situations.
What happened and why it matters
According to a breach notification filed with the Maine Attorney General’s Office, the attackers exploited stolen MFA session tokens to impersonate users and bypass authentication controls, gaining access to sensitive personal and financial data.
Our recent research, Cookie-Bite, highlights how digital crumbs can let threat actors bypass MFA and maintain access to cloud environments. This underscores the importance of implementing UEBA to detect misuse of valid credentials and session tokens.
Attackers offered cash incentives to a handful of insiders, persuading them to extract data from Coinbase’s customer support systems. The breach affected less than 1% of monthly transacting users, but the intent was far more widespread.
Armed with stolen data, the attackers aimed to impersonate Coinbase and phish unsuspecting customers out of their crypto. When that failed to deliver the payday they wanted, they pivoted to extortion, demanding $20 million to keep the breach under wraps.
While internal systems were not directly compromised in this breach, it highlights a growing blind spot in modern identity security: session hijacking and token theft.
This incident is a textbook example of how attackers are shifting focus from breaching hardened infrastructure to exploiting the soft underbelly of identity and access.
Once a valid session token is in hand, traditional defenses — including MFA — are rendered ineffective. The attacker becomes indistinguishable from a legitimate user, operating freely within the environment and putting your information at risk of exposure.
Why UEBA is the only real defense
Authentication is not the finish line — it’s the starting point in incidents like this. Once inside, attackers can move laterally, access sensitive data, and exfiltrate information without triggering traditional alerts.
That’s where User and Entity Behavior Analytics (UEBA) becomes a critical component of your security stack.
UEBA doesn’t rely on static rules or known indicators of compromise. Instead, it builds a behavioral baseline for every user and entity in your environment. Even when someone with valid credentials starts acting abnormally (e.g., accessing unusual files, logging in from atypical locations, or exfiltrating data), UEBA raises the alarm.
Key UEBA capabilities
A robust UEBA solution should include the following capabilities:
- Anomaly detection: UEBA systems build a behavioral baseline for every user and entity in your environment. When someone with valid credentials starts acting abnormally (e.g., accessing unusual files, logging in from atypical locations, or exfiltrating data), UEBA raises the alarm
- Insider threat detection: UEBA can detect anomalous activity and notify your team of any activity that could indicate insider threats or unintentional data exposure.
- Data-centric visibility: UEBA provides a complete picture of your data estate, both on-prem and across every cloud, compared to other modern threat detection solutions.
In the Coinbase breach, a UEBA system would have flagged the anomalous behavior of attackers using valid tokens in ways that deviated from the legitimate users’ normal patterns.
Don’t wait for a breach to occur
MFA is necessary — but not sufficient on its own.
Session hijacking renders authentication ineffective without behavioral monitoring. Vendors handling authentication must be held to the highest security standards, and UEBA is essential to detect misuse of valid credentials and session tokens.
Varonis is uniquely positioned to detect and stop these types of attacks. Our Data Security Platform continuously monitors user behavior across data, identity, and systems, correlating activity to surface threats that bypass traditional defenses.
With real-time alerting and automated response, Varonis helps security teams detect session hijacking, insider threats, and lateral movement before damage is done.
See Varonis in action today.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.
