A Friend’s Coinbase Account Was Just Hacked And They Lost $16,000

00:01 hey everyone a friend's coinbase account 00:04 was just compromised and the hackers 00:06 stole 00:08 $16,000 of Bitcoin um I want to walk 00:11 through how that happened and how you 00:12 can keep that from happening to you of 00:14 course the easiest way is bit key any Co 00:17 any Bitcoin that is on bit key you're 00:19 not you do not have to worry about that 00:21 but what happened in this case um and 00:24 I'll tell the whole story including uh 00:26 hopefully you know the resolution at 00:28 some point so um all right the only 00:31 thing that happened is this person's 00:33 Gmail account got hacked um best as I 00:36 can guess although the you know the 00:38 facts are fuzzy even in my own mind uh I 00:41 believe the password on their Gmail 00:43 account was the same password that had 00:45 been used in other places and hackers 00:47 must have gotten a hold of that password 00:49 to the Gmail account somehow best as I 00:52 can tell there was not two-factor 00:54 authentication enabled on the Gmail 00:55 account which means if uh all the 00:59 hackers needed was the email address and 01:00 password data breaches are happening 01:03 constantly all over the world all the 01:05 time and usernames and passwords uh 01:08 meaning email addresses and passwords 01:09 are getting um are getting compromised 01:12 in those data leaks the very first thing 01:14 a hacker does when they get a data leak 01:17 is they go find out if that email 01:19 address and the uh password work on 01:22 Google and you'll find out why they care 01:24 so much about that in just a minute here 01:26 but anyway so every time a data leak 01:28 happens they go through and look for 01:29 Gmail address addresses and then they 01:31 plug those Gmail addresses in with the 01:33 associated passwords hoping that 01:35 somebody is using the same email address 01:38 and password for Gmail that they are 01:40 using for Men's Warehouse or whatever it 01:42 was that got compromised just obviously 01:45 you know they're they're hoping that the 01:46 same as soon as they find uh some that's 01:49 the same so you know rule number one do 01:51 not reuse passwords if you are using uh 01:54 you need to use a password manager uh 01:57 you know the best one in my opinion is 01:58 the Apple password manager that's built 02:00 into Apple devices uh but you need to 02:02 use a password manager and all of your 02:04 passwords need to be different it is 02:05 very important or even better yet use 02:07 pass Keys pass Keys solve all of this 02:10 problem so uh pass keys are much better 02:13 um but if you're using passwords because 02:15 a lot of things still do not 02:18 support okay so if you can use on any 02:21 website log in with apple or use a pass 02:24 key that is much better than a username 02:26 or password um for all the reasons I've 02:29 posted in various uh posts but if you if 02:32 you have to use a password for a website 02:34 instead of logging in with apple or 02:37 instead of a pass key um then you've got 02:39 to make sure your passwords are unique 02:41 and you're not reusing passwords because 02:42 again hackers love reused passwords the 02:45 very first thing they're going to do is 02:46 see if they can go use a reused email 02:49 address and password uh or not email 02:51 address because everybody use reuses 02:52 email addresses but your your email 02:54 address and a reuse password they're 02:56 going to try to use that to log into 02:57 Google and the reason they use it to log 02:59 into Google is because Google often 03:02 times does not have two-factor 03:03 authentication turned on so 03:05 rule okay so rule number one is use 03:08 unique passwords do not reuse passwords 03:10 and do not use generic passwords um rule 03:13 number two is get two-factor 03:16 authentication turned on on everything 03:18 especially your Google account the 03:20 hackers love to get a hold of a Google 03:22 account because a Google account gives 03:24 them access to two things that they 03:26 really really really want which is the 03:29 Google password manager 03:31 um and the Google Authenticator app so a 03:34 lot of people are using Google 03:35 authenticator for two-factor 03:37 authentication and so if hackers get a 03:39 hold of your Google account they get 03:41 access to your Google password manager 03:43 and any if you're backing up um 03:46 two-factor authentication codes to your 03:47 Google account which I think is turned 03:49 on by default then it also gives them 03:51 access to all those two-factor 03:52 authentication codes so they basically 03:54 have the keys to the kingdom right there 03:56 and they can get into any of your 03:58 accounts whether or not they have 03:59 two-factor Authentication now um if your 04:01 two-factor authentication is tied to 04:03 your phone number then they will try to 04:05 use the Google uh password manager to 04:08 log in Verizon or AT&T or ceasefire or 04:11 whatever you're using they will try to 04:13 log in and uh swap over your phone 04:16 number to a device they control sometime 04:18 in the Wii middle of the night uh when 04:20 you're not paying attention and you're 04:21 sleeping they'll swap it over uh and 04:24 then log in and then they'll grab the 04:25 two Factor authentication codes um so 04:28 rule number one don't you don't reuse 04:29 password 04:30 uh rule number two is make sure two 04:33 Factor authentication is turned on on 04:34 everything especially your Gmail account 04:37 because again Google gives everyone if 04:40 you compromise a Google account you have 04:42 the keys to the kingdom because you have 04:44 access to the Google password manager 04:46 and you have access to the Google 04:48 Authenticator app if it's backed up to 04:51 the cloud which it is by default so what 04:53 did these hackers do again this is the 04:55 my best my best estimation of what these 04:57 hackers did to steal $16,000 of Bitcoin 05:01 from my friend so he woke up in the 05:03 morning rolled over grabbed his phone 05:05 and there was a whole series of email 05:08 alerts from coinbase the first said um 05:11 you have sold $16,000 of Bitcoin the 05:14 second said you have added a bank 05:16 account to your account the third said 05:18 you have added a second bank account to 05:20 your account the fourth email said you 05:22 have initiated an $88,000 wire transfer 05:25 to the first bank account the fifth 05:27 email alert said you have initiated 05:29 another $8,000 wire transfer to the 05:31 other the second bank account uh all 05:33 those series of emails first thing in 05:35 the morning so they of course locked 05:38 their account but those uh withdrawals 05:40 had already been initiated in the Wei 05:41 hours of the morning so here's how 05:43 here's how the hackers got into the 05:46 coinbase account they uh compromised the 05:48 Gmail account they through a data breach 05:50 of some sort they got the email address 05:52 and password um for some site other than 05:56 Google that passw username and password 05:58 they use that same username and password 05:60 password to log into Google and because 06:02 two-factor authentication was not 06:04 enabled on the Google account they got 06:05 in once they were in they looked through 06:08 the password manager on Google and found 06:11 that there was a an entry for coinbase 06:13 they also looked through the two-factor 06:15 authentication codes um in Google 06:17 Authenticator and realized there was one 06:19 for coinbase as well which gave them 06:21 again all the keys to the kingdom they 06:23 then could log in the coinbase using the 06:25 email address and password they found in 06:26 Google password manager and they could 06:28 log in uh further into coinbase using 06:31 two-factor authentication codes uh from 06:34 the Google Authenticator app because 06:36 they had access to that also because 06:37 they had compromised the Gmail account 06:39 so how do you keep this from happening 06:42 well again buy a bit key bit t 06:44 keyworld w rld uh hackers and scammers 06:48 cannot compromise your bit key it's just 06:51 that simple buy a bit key and whatever 06:53 Bitcoin you keep on bit key is safe 06:56 you're not going to lose it you're not 06:58 going to you know they they've set up 06:59 bit key where as long as you have a 07:01 trusted contact setup it's basically 07:03 completely impossible to lose your 07:05 Bitcoin I mean it is a brilliant setup 07:08 you do not have to worry about doing 07:09 something wrong you do not have to worry 07:11 about losing your Bitcoin just buy a bit 07:13 key that is the number one answer now 07:15 the good news is in this case the 07:17 individual did have the majority of 07:19 their Bitcoin on bit key so if they had 07:22 not moved the majority of their Bitcoin 07:24 over to bit key they would have lost way 07:26 more than 07:27 $16,000 so thankfully they only lost 07:30 $16,000 which was a small percentage of 07:33 their total Bitcoin if they had not 07:35 moved the majority over it to bit key 07:38 about a month or two back they would 07:39 have lost all of it but thankfully they 07:42 preserved the vast majority of it 07:44 because it's sitting on bit key and the 07:45 only amount that they had left on 07:47 coinbase was 16,000 which is what the 07:49 hackers uh uh wired wire transferred off 07:53 of coinbase to their own bank accounts 07:56 um anyway so the way to keep this from 07:58 happening is bit key but the way to keep 08:00 it from you know the way to just secure 08:02 your account so that other stuff doesn't 08:04 get hacked because this is the exact 08:05 same way hackers get into everything 08:08 from bank accounts to anything is their 08:10 favorite way to do it is to compromise 08:11 compromise a Gmail account and then use 08:13 the Google password manager and the 08:15 Google Authenticator app to to get the 08:18 passwords and the two-factor 08:19 authentication codes to log into all 08:20 your stuff and they they're basically 08:22 you know they got the keys to the 08:23 kingdom so um again rule number one do 08:26 not reuse passwords use a good password 08:28 manager and every single thing you ever 08:30 log into should have a different 08:31 password um well rule number zero is 08:34 don't use passwords at all every time 08:35 you can use login with apple or you can 08:38 use a pass key always use login with 08:40 apple or if you if that's not an option 08:43 and you have the option to use a pass 08:44 key use a pass key uh pass keys are not 08:47 susceptible to this sort of hack uh 08:49 which is why they were invented uh pass 08:52 keys were specifically invented so that 08:55 you would not be able to hack people's 08:56 accounts you know the way people are 08:58 doing it in this case so uh rule number 09:01 zero is use uh Pass key or login with 09:05 apple anywhere you can rule number one 09:08 is don't reuse passwords anywhere rule 09:10 number two is get two-factor 09:12 authentication turned on on your Gmail 09:14 account or any accounts that are 09:16 connected to Gmail a lot of people have 09:18 unique accounts but they're actually 09:19 Gmail on the back end so even if you 09:21 have a unique email address if the way 09:23 you get access to that is the Gmail 09:26 platform make sure two-factor 09:28 authentication is turned on for that 09:29 same with Microsoft if you're using 09:31 Microsoft Office 360 or 365 whatever 09:34 they call it um if you're using the 09:36 Microsoft platform make sure two-factor 09:38 authentication is turned off on on that 09:40 just make sure two-factor authentication 09:42 is turned on on all of your stuff um now 09:45 um and also just be aware that if 09:47 somebody gets access to your uh 09:49 two-factor authentication or if they get 09:51 access to your Gmail account and your 09:53 two-factor authentication codes are 09:55 backed up from Google Authenticator they 09:57 will also have access to that now that 09:59 is admittedly is a tough one uh the 10:01 reason I don't go on on you know 10:03 Facebook and say hey everybody turn off 10:06 the cloud backup on your Google 10:07 Authenticator app is because obviously 10:09 then if you lose your phone or you turn 10:11 your phone in uh to you know Verizon or 10:14 AT&T or cspire and you forget to move 10:16 over your two-factor authentication 10:18 codes then it is a royal pain to get 10:20 back into all your accounts because you 10:21 don't have any of your two-factor 10:22 authentication codes so that is honestly 10:24 a tough one the convenient thing to do 10:27 is let it back up those codes to the 10:28 cloud the secure thing to do is turn off 10:31 the cloud backup but again then if you 10:33 lose your phone uh it's a royal pain 10:36 now maybe a solution is um you know back 10:40 up your two Factor authentication codes 10:43 on someone else's phone and then that 10:45 way if you lose your phone you can go 10:47 you know move them back from someone 10:48 else's phone but there's not a good way 10:50 to do that real time so even if you have 10:51 10 you know let's call it you have 10 10 10:54 different entries in um Google 10:56 authenticator for 10 different you know 10:58 super secure sites two Factor 10:60 authentication codes even if you 11:01 replicate those to someone else's phone 11:04 and turn off cloud backup on their phone 11:06 and your phone then the question is what 11:08 happens when you need to add an 11th uh 11:11 Website login you got to go track that 11:13 person down and share that one with them 11:15 again like it's just there's not a good 11:17 scalable Solution on that um which again 11:20 that's why pass keys were invented pass 11:22 keys were invented because there was not 11:24 a good solution for two Factor 11:26 authentication codes um because they 11:28 have this problem which is well you got 11:29 back them up somewhere but if you back 11:31 them up then the hacker can get them but 11:32 if you don't back them up and you lose 11:34 them it's a royal pain um bit key solves 11:36 all of this bit key solves everything 11:39 bit key was invented to solve all of the 11:41 problems related to bitcoin security and 11:44 is even better than pass keys and is 11:47 even better than login with apple 11:48 because you have the Bitcoin in your 11:49 control so um by far the best solution 11:53 for Bitcoin is bit key um but regardless 11:56 you ought to have secure infrastructure 11:57 just so you don't get hacked regardless 11:59 and the best way to do that is use pass 12:01 keys and use login with apple um and um 12:04 don't reuse passwords make sure 12:06 two-factor authentication is turned on 12:08 especially for your Gmail account um but 12:10 but anything else you care about as well 12:13 and um the the oh the last thing is um 12:16 in Google and in apple you can tell what 12:18 devices are logged into your account 12:20 just to make sure you haven't been 12:22 compromised it's worth going through and 12:24 kicking off any devices you don't 12:26 recognize so you can log in to your 12:28 Apple account just in your phone and 12:29 it'll show you all the devices that are 12:31 logged into your Apple account and you 12:33 can disconnect uh or log out any devices 12:35 you don't recognize which are usually 12:37 old iPhones and old iPads that you 12:39 forgot you even had um or maybe an old 12:42 out ofate Apple watch you lost or 12:43 whatever uh but it's worth just logging 12:45 those devices out just to make sure that 12:47 they're they're not somehow a device 12:49 from a hacker that they're hoping you 12:50 don't notice and same on Google it's 12:52 worth going into your Google account if 12:54 you have a Google account and uh in the 12:56 settings it'll tell you every device 12:58 that's logged in it'll say hey here's a 12:60 web login from XYZ some of those web 13:02 logins are from your phone or your 13:04 laptop but anything you don't recognize 13:07 is worth just logging out worst case 13:09 scenario you log back in who cares you 13:11 know you find out you're like oh I don't 13:12 recognize that web login from Safari 13:14 well you log it out and you find out oh 13:16 that was the login on your actual iPhone 13:18 well so what you log back in who cares 13:20 it's super simple um but the benefit of 13:22 logging that stuff out is if a hacker if 13:25 one of those logins is a hacker and you 13:28 enable two-factor Authentication then 13:30 you make sure that they don't still have 13:31 access to your account because OB 13:32 obviously if you enable two Factor 13:34 authentication and they already have 13:36 access to your account then they're 13:37 still going to have access to your 13:38 account so it's worth making sure that 13:41 you log out anything you don't recognize 13:43 in Apple or Google so hopefully this is 13:45 helpful now I'm hoping my friend gets 13:47 the $16,000 of Bitcoin back there is a 13:50 chance that coinbase will be able to 13:52 freeze the assets uh because if they had 13:55 moved it off the coinbase platform via 13:57 Bitcoin itself obviously bitcoin's 13:60 Unstoppable and that's one of its 14:01 benefits um but obviously there's you 14:03 know with power comes responsibility in 14:05 this case because it was moved be with 14:07 an old school bank account there's some 14:09 chance that they can chase those funds 14:11 through the old school bank account 14:13 system and try to freeze them at some 14:14 point and get them returned so I'm 14:16 hoping my friend gets his $16,000 back 14:20 um and you know and you know hopefully 14:22 coinbase will give it back to him in the 14:23 form of Bitcoin or US dollars that he 14:26 can use to buy back the Bitcoin that the 14:28 hacker sold on his account um but it's 14:30 unknown at this point um anyway so 14:33 please buy a bit key the easiest way to 14:35 secure your Bitcoin is $149 bit key. 14:39 world just buy yourself a bit key you 14:41 know if you're not comfortable with it 14:42 move $1 of Bitcoin over to it just like 14:44 $1 just move it and get comfortable with 14:47 it because again if somebody calls me 14:50 and they're like uhoh something bad 14:51 happened I'm like if it h if they have a 14:53 bit key nobody got their Bitcoin if they 14:56 don't you just don't know hackers and 14:58 scammers are everywhere all the time 15:01 constantly trying to get people talk 15:03 people into giving them access to their 15:05 accounts or like these hackers did 15:07 because this guy is way too smart to you 15:09 know fall for a scammer the hacking 15:11 techniques of compromising his Gmail 15:13 account using that to get to his 15:14 password manager using that to get to 15:17 his Google Authenticator and then using 15:19 passwords and Google Authenticator codes 15:21 to get access to his coinbase account 15:22 and send money out so um anyway uh 15:26 hopefully this is helpful go check your 15:28 Gmail account right now and make sure 15:30 it's got two Factor authentication 15:31 turned on and go through your Google 15:34 account and your Apple account and log 15:35 out any devices or logins you don't 15:37 recognize and um please be safe out 15:40 there and get yourself a bit key bit key 15:42 just solves all this it's just so simple 15:44 it's so straightforward it's so elegant 15:46 and as of yesterday they even have the 15:48 retirement feature built in which is 15:49 totally awesome so get yourself a bit 15:51 key so you don't get hacked you don't 15:52 get scammed and you just don't have to 15:54 worry about it but go secure the rest of 15:56 your stuff because you know you have 15:58 other stuff you probably care about as 15:59 well have a great day everyone thanks