A Friend’s Coinbase Account Was Just Hacked And They Lost $16,000

00:01 hey everyone a friend’s coinbase account
00:04 was just compromised and the hackers
00:06 stole
00:08 $16,000 of Bitcoin um I want to walk
00:11 through how that happened and how you
00:12 can keep that from happening to you of
00:14 course the easiest way is bit key any Co
00:17 any Bitcoin that is on bit key you’re
00:19 not you do not have to worry about that
00:21 but what happened in this case um and
00:24 I’ll tell the whole story including uh
00:26 hopefully you know the resolution at
00:28 some point so um all right the only
00:31 thing that happened is this person’s
00:33 Gmail account got hacked um best as I
00:36 can guess although the you know the
00:38 facts are fuzzy even in my own mind uh I
00:41 believe the password on their Gmail
00:43 account was the same password that had
00:45 been used in other places and hackers
00:47 must have gotten a hold of that password
00:49 to the Gmail account somehow best as I
00:52 can tell there was not two-factor
00:54 authentication enabled on the Gmail
00:55 account which means if uh all the
00:59 hackers needed was the email address and
01:00 password data breaches are happening
01:03 constantly all over the world all the
01:05 time and usernames and passwords uh
01:08 meaning email addresses and passwords
01:09 are getting um are getting compromised
01:12 in those data leaks the very first thing
01:14 a hacker does when they get a data leak
01:17 is they go find out if that email
01:19 address and the uh password work on
01:22 Google and you’ll find out why they care
01:24 so much about that in just a minute here
01:26 but anyway so every time a data leak
01:28 happens they go through and look for
01:29 Gmail address addresses and then they
01:31 plug those Gmail addresses in with the
01:33 associated passwords hoping that
01:35 somebody is using the same email address
01:38 and password for Gmail that they are
01:40 using for Men’s Warehouse or whatever it
01:42 was that got compromised just obviously
01:45 you know they’re they’re hoping that the
01:46 same as soon as they find uh some that’s
01:49 the same so you know rule number one do
01:51 not reuse passwords if you are using uh
01:54 you need to use a password manager uh
01:57 you know the best one in my opinion is
01:58 the Apple password manager that’s built
02:00 into Apple devices uh but you need to
02:02 use a password manager and all of your
02:04 passwords need to be different it is
02:05 very important or even better yet use
02:07 pass Keys pass Keys solve all of this
02:10 problem so uh pass keys are much better
02:13 um but if you’re using passwords because
02:15 a lot of things still do not
02:18 support okay so if you can use on any
02:21 website log in with apple or use a pass
02:24 key that is much better than a username
02:26 or password um for all the reasons I’ve
02:29 posted in various uh posts but if you if
02:32 you have to use a password for a website
02:34 instead of logging in with apple or
02:37 instead of a pass key um then you’ve got
02:39 to make sure your passwords are unique
02:41 and you’re not reusing passwords because
02:42 again hackers love reused passwords the
02:45 very first thing they’re going to do is
02:46 see if they can go use a reused email
02:49 address and password uh or not email
02:51 address because everybody use reuses
02:52 email addresses but your your email
02:54 address and a reuse password they’re
02:56 going to try to use that to log into
02:57 Google and the reason they use it to log
02:59 into Google is because Google often
03:02 times does not have two-factor
03:03 authentication turned on so
03:05 rule okay so rule number one is use
03:08 unique passwords do not reuse passwords
03:10 and do not use generic passwords um rule
03:13 number two is get two-factor
03:16 authentication turned on on everything
03:18 especially your Google account the
03:20 hackers love to get a hold of a Google
03:22 account because a Google account gives
03:24 them access to two things that they
03:26 really really really want which is the
03:29 Google password manager
03:31 um and the Google Authenticator app so a
03:34 lot of people are using Google
03:35 authenticator for two-factor
03:37 authentication and so if hackers get a
03:39 hold of your Google account they get
03:41 access to your Google password manager
03:43 and any if you’re backing up um
03:46 two-factor authentication codes to your
03:47 Google account which I think is turned
03:49 on by default then it also gives them
03:51 access to all those two-factor
03:52 authentication codes so they basically
03:54 have the keys to the kingdom right there
03:56 and they can get into any of your
03:58 accounts whether or not they have
03:59 two-factor Authentication now um if your
04:01 two-factor authentication is tied to
04:03 your phone number then they will try to
04:05 use the Google uh password manager to
04:08 log in Verizon or AT&T or ceasefire or
04:11 whatever you’re using they will try to
04:13 log in and uh swap over your phone
04:16 number to a device they control sometime
04:18 in the Wii middle of the night uh when
04:20 you’re not paying attention and you’re
04:21 sleeping they’ll swap it over uh and
04:24 then log in and then they’ll grab the
04:25 two Factor authentication codes um so
04:28 rule number one don’t you don’t reuse
04:29 password
04:30 uh rule number two is make sure two
04:33 Factor authentication is turned on on
04:34 everything especially your Gmail account
04:37 because again Google gives everyone if
04:40 you compromise a Google account you have
04:42 the keys to the kingdom because you have
04:44 access to the Google password manager
04:46 and you have access to the Google
04:48 Authenticator app if it’s backed up to
04:51 the cloud which it is by default so what
04:53 did these hackers do again this is the
04:55 my best my best estimation of what these
04:57 hackers did to steal $16,000 of Bitcoin
05:01 from my friend so he woke up in the
05:03 morning rolled over grabbed his phone
05:05 and there was a whole series of email
05:08 alerts from coinbase the first said um
05:11 you have sold $16,000 of Bitcoin the
05:14 second said you have added a bank
05:16 account to your account the third said
05:18 you have added a second bank account to
05:20 your account the fourth email said you
05:22 have initiated an $88,000 wire transfer
05:25 to the first bank account the fifth
05:27 email alert said you have initiated
05:29 another $8,000 wire transfer to the
05:31 other the second bank account uh all
05:33 those series of emails first thing in
05:35 the morning so they of course locked
05:38 their account but those uh withdrawals
05:40 had already been initiated in the Wei
05:41 hours of the morning so here’s how
05:43 here’s how the hackers got into the
05:46 coinbase account they uh compromised the
05:48 Gmail account they through a data breach
05:50 of some sort they got the email address
05:52 and password um for some site other than
05:56 Google that passw username and password
05:58 they use that same username and password
05:60 password to log into Google and because
06:02 two-factor authentication was not
06:04 enabled on the Google account they got
06:05 in once they were in they looked through
06:08 the password manager on Google and found
06:11 that there was a an entry for coinbase
06:13 they also looked through the two-factor
06:15 authentication codes um in Google
06:17 Authenticator and realized there was one
06:19 for coinbase as well which gave them
06:21 again all the keys to the kingdom they
06:23 then could log in the coinbase using the
06:25 email address and password they found in
06:26 Google password manager and they could
06:28 log in uh further into coinbase using
06:31 two-factor authentication codes uh from
06:34 the Google Authenticator app because
06:36 they had access to that also because
06:37 they had compromised the Gmail account
06:39 so how do you keep this from happening
06:42 well again buy a bit key bit t
06:44 keyworld w rld uh hackers and scammers
06:48 cannot compromise your bit key it’s just
06:51 that simple buy a bit key and whatever
06:53 Bitcoin you keep on bit key is safe
06:56 you’re not going to lose it you’re not
06:58 going to you know they they’ve set up
06:59 bit key where as long as you have a
07:01 trusted contact setup it’s basically
07:03 completely impossible to lose your
07:05 Bitcoin I mean it is a brilliant setup
07:08 you do not have to worry about doing
07:09 something wrong you do not have to worry
07:11 about losing your Bitcoin just buy a bit
07:13 key that is the number one answer now
07:15 the good news is in this case the
07:17 individual did have the majority of
07:19 their Bitcoin on bit key so if they had
07:22 not moved the majority of their Bitcoin
07:24 over to bit key they would have lost way
07:26 more than
07:27 $16,000 so thankfully they only lost
07:30 $16,000 which was a small percentage of
07:33 their total Bitcoin if they had not
07:35 moved the majority over it to bit key
07:38 about a month or two back they would
07:39 have lost all of it but thankfully they
07:42 preserved the vast majority of it
07:44 because it’s sitting on bit key and the
07:45 only amount that they had left on
07:47 coinbase was 16,000 which is what the
07:49 hackers uh uh wired wire transferred off
07:53 of coinbase to their own bank accounts
07:56 um anyway so the way to keep this from
07:58 happening is bit key but the way to keep
08:00 it from you know the way to just secure
08:02 your account so that other stuff doesn’t
08:04 get hacked because this is the exact
08:05 same way hackers get into everything
08:08 from bank accounts to anything is their
08:10 favorite way to do it is to compromise
08:11 compromise a Gmail account and then use
08:13 the Google password manager and the
08:15 Google Authenticator app to to get the
08:18 passwords and the two-factor
08:19 authentication codes to log into all
08:20 your stuff and they they’re basically
08:22 you know they got the keys to the
08:23 kingdom so um again rule number one do
08:26 not reuse passwords use a good password
08:28 manager and every single thing you ever
08:30 log into should have a different
08:31 password um well rule number zero is
08:34 don’t use passwords at all every time
08:35 you can use login with apple or you can
08:38 use a pass key always use login with
08:40 apple or if you if that’s not an option
08:43 and you have the option to use a pass
08:44 key use a pass key uh pass keys are not
08:47 susceptible to this sort of hack uh
08:49 which is why they were invented uh pass
08:52 keys were specifically invented so that
08:55 you would not be able to hack people’s
08:56 accounts you know the way people are
08:58 doing it in this case so uh rule number
09:01 zero is use uh Pass key or login with
09:05 apple anywhere you can rule number one
09:08 is don’t reuse passwords anywhere rule
09:10 number two is get two-factor
09:12 authentication turned on on your Gmail
09:14 account or any accounts that are
09:16 connected to Gmail a lot of people have
09:18 unique accounts but they’re actually
09:19 Gmail on the back end so even if you
09:21 have a unique email address if the way
09:23 you get access to that is the Gmail
09:26 platform make sure two-factor
09:28 authentication is turned on for that
09:29 same with Microsoft if you’re using
09:31 Microsoft Office 360 or 365 whatever
09:34 they call it um if you’re using the
09:36 Microsoft platform make sure two-factor
09:38 authentication is turned off on on that
09:40 just make sure two-factor authentication
09:42 is turned on on all of your stuff um now
09:45 um and also just be aware that if
09:47 somebody gets access to your uh
09:49 two-factor authentication or if they get
09:51 access to your Gmail account and your
09:53 two-factor authentication codes are
09:55 backed up from Google Authenticator they
09:57 will also have access to that now that
09:59 is admittedly is a tough one uh the
10:01 reason I don’t go on on you know
10:03 Facebook and say hey everybody turn off
10:06 the cloud backup on your Google
10:07 Authenticator app is because obviously
10:09 then if you lose your phone or you turn
10:11 your phone in uh to you know Verizon or
10:14 AT&T or cspire and you forget to move
10:16 over your two-factor authentication
10:18 codes then it is a royal pain to get
10:20 back into all your accounts because you
10:21 don’t have any of your two-factor
10:22 authentication codes so that is honestly
10:24 a tough one the convenient thing to do
10:27 is let it back up those codes to the
10:28 cloud the secure thing to do is turn off
10:31 the cloud backup but again then if you
10:33 lose your phone uh it’s a royal pain
10:36 now maybe a solution is um you know back
10:40 up your two Factor authentication codes
10:43 on someone else’s phone and then that
10:45 way if you lose your phone you can go
10:47 you know move them back from someone
10:48 else’s phone but there’s not a good way
10:50 to do that real time so even if you have
10:51 10 you know let’s call it you have 10 10
10:54 different entries in um Google
10:56 authenticator for 10 different you know
10:58 super secure sites two Factor
10:60 authentication codes even if you
11:01 replicate those to someone else’s phone
11:04 and turn off cloud backup on their phone
11:06 and your phone then the question is what
11:08 happens when you need to add an 11th uh
11:11 Website login you got to go track that
11:13 person down and share that one with them
11:15 again like it’s just there’s not a good
11:17 scalable Solution on that um which again
11:20 that’s why pass keys were invented pass
11:22 keys were invented because there was not
11:24 a good solution for two Factor
11:26 authentication codes um because they
11:28 have this problem which is well you got
11:29 back them up somewhere but if you back
11:31 them up then the hacker can get them but
11:32 if you don’t back them up and you lose
11:34 them it’s a royal pain um bit key solves
11:36 all of this bit key solves everything
11:39 bit key was invented to solve all of the
11:41 problems related to bitcoin security and
11:44 is even better than pass keys and is
11:47 even better than login with apple
11:48 because you have the Bitcoin in your
11:49 control so um by far the best solution
11:53 for Bitcoin is bit key um but regardless
11:56 you ought to have secure infrastructure
11:57 just so you don’t get hacked regardless
11:59 and the best way to do that is use pass
12:01 keys and use login with apple um and um
12:04 don’t reuse passwords make sure
12:06 two-factor authentication is turned on
12:08 especially for your Gmail account um but
12:10 but anything else you care about as well
12:13 and um the the oh the last thing is um
12:16 in Google and in apple you can tell what
12:18 devices are logged into your account
12:20 just to make sure you haven’t been
12:22 compromised it’s worth going through and
12:24 kicking off any devices you don’t
12:26 recognize so you can log in to your
12:28 Apple account just in your phone and
12:29 it’ll show you all the devices that are
12:31 logged into your Apple account and you
12:33 can disconnect uh or log out any devices
12:35 you don’t recognize which are usually
12:37 old iPhones and old iPads that you
12:39 forgot you even had um or maybe an old
12:42 out ofate Apple watch you lost or
12:43 whatever uh but it’s worth just logging
12:45 those devices out just to make sure that
12:47 they’re they’re not somehow a device
12:49 from a hacker that they’re hoping you
12:50 don’t notice and same on Google it’s
12:52 worth going into your Google account if
12:54 you have a Google account and uh in the
12:56 settings it’ll tell you every device
12:58 that’s logged in it’ll say hey here’s a
12:60 web login from XYZ some of those web
13:02 logins are from your phone or your
13:04 laptop but anything you don’t recognize
13:07 is worth just logging out worst case
13:09 scenario you log back in who cares you
13:11 know you find out you’re like oh I don’t
13:12 recognize that web login from Safari
13:14 well you log it out and you find out oh
13:16 that was the login on your actual iPhone
13:18 well so what you log back in who cares
13:20 it’s super simple um but the benefit of
13:22 logging that stuff out is if a hacker if
13:25 one of those logins is a hacker and you
13:28 enable two-factor Authentication then
13:30 you make sure that they don’t still have
13:31 access to your account because OB
13:32 obviously if you enable two Factor
13:34 authentication and they already have
13:36 access to your account then they’re
13:37 still going to have access to your
13:38 account so it’s worth making sure that
13:41 you log out anything you don’t recognize
13:43 in Apple or Google so hopefully this is
13:45 helpful now I’m hoping my friend gets
13:47 the $16,000 of Bitcoin back there is a
13:50 chance that coinbase will be able to
13:52 freeze the assets uh because if they had
13:55 moved it off the coinbase platform via
13:57 Bitcoin itself obviously bitcoin’s
13:60 Unstoppable and that’s one of its
14:01 benefits um but obviously there’s you
14:03 know with power comes responsibility in
14:05 this case because it was moved be with
14:07 an old school bank account there’s some
14:09 chance that they can chase those funds
14:11 through the old school bank account
14:13 system and try to freeze them at some
14:14 point and get them returned so I’m
14:16 hoping my friend gets his $16,000 back
14:20 um and you know and you know hopefully
14:22 coinbase will give it back to him in the
14:23 form of Bitcoin or US dollars that he
14:26 can use to buy back the Bitcoin that the
14:28 hacker sold on his account um but it’s
14:30 unknown at this point um anyway so
14:33 please buy a bit key the easiest way to
14:35 secure your Bitcoin is $149 bit key.
14:39 world just buy yourself a bit key you
14:41 know if you’re not comfortable with it
14:42 move $1 of Bitcoin over to it just like
14:44 $1 just move it and get comfortable with
14:47 it because again if somebody calls me
14:50 and they’re like uhoh something bad
14:51 happened I’m like if it h if they have a
14:53 bit key nobody got their Bitcoin if they
14:56 don’t you just don’t know hackers and
14:58 scammers are everywhere all the time
15:01 constantly trying to get people talk
15:03 people into giving them access to their
15:05 accounts or like these hackers did
15:07 because this guy is way too smart to you
15:09 know fall for a scammer the hacking
15:11 techniques of compromising his Gmail
15:13 account using that to get to his
15:14 password manager using that to get to
15:17 his Google Authenticator and then using
15:19 passwords and Google Authenticator codes
15:21 to get access to his coinbase account
15:22 and send money out so um anyway uh
15:26 hopefully this is helpful go check your
15:28 Gmail account right now and make sure
15:30 it’s got two Factor authentication
15:31 turned on and go through your Google
15:34 account and your Apple account and log
15:35 out any devices or logins you don’t
15:37 recognize and um please be safe out
15:40 there and get yourself a bit key bit key
15:42 just solves all this it’s just so simple
15:44 it’s so straightforward it’s so elegant
15:46 and as of yesterday they even have the
15:48 retirement feature built in which is
15:49 totally awesome so get yourself a bit
15:51 key so you don’t get hacked you don’t
15:52 get scammed and you just don’t have to
15:54 worry about it but go secure the rest of
15:56 your stuff because you know you have
15:58 other stuff you probably care about as
15:59 well have a great day everyone thanks