Crypto.com Hack Hits 483 Users, Drains $34 Million in Funds

pcmag.com:

Hackers stole $34 million in funds from 483 Crypto.com users.

On Thursday, the cryptocurrency exchange published a blog post discussing the hack after users noticed suspicious activity on their accounts. According to Crypto.com, about $19 million in Bitcoin and another $15 million in Ethereum was drained during the breach. 

The good news for affected users is that Crypto.com is covering any losses. “In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed,” the Singapore-based company said. 

However, Crypto.com did not reveal how the hack occurred. The company’s blog post merely notes that its security systems first detected suspicious activity on Monday, when a “small number” of accounts began approving transactions without the two-factor authentication login from the user. With a two-factor authentication system, a user must input the correct password along with a one-time passcode that’s usually generated on the account holder’s smartphone. 

The statement from Crypto.com suggests the hackers found a way to bypass the system, enabling them to log in and hijack user accounts, perhaps only with a password.

The suspicious activity prompted Crypto.com to immediately suspend all account withdrawals. In addition, “Crypto.com revoked all customer 2FA tokens, and added additional security hardening measures, which required all customers to re-login and set up their 2FA token to ensure only authorized activity would occur,” the company said. 

Since then, Crypto.com has “revamped and migrated” the company’s IT infrastructure to a new two-authentication system. But over time, the company plans on phasing out the two-factor approach for “true Multi-Factor