How to hack an exchange account

Since I see the question of "are exchanges unsafe", here's guide to how to hack an exchange account for you to decide for yourself. This assumes the user has Google Authenticator 2FA.

TLDR; Exploiting "lost 2FA" workflows are easier than "hacking 2FA"

1. Get Email and Phone number - These can be found on the leaked BitcoinTalk database, the Ledger database, YahooMail database, and the coinmarketcap database
2. Determine the phone carrier - In many cases, tools can be used to determine what carrier is associated with which phone number.
3. SIM Swap the phone - This is hit or miss. It usually entails either getting a part-time job at a mobile carrier, or bribing a friend that works there. There are reports of SIM swaps selling for as little as $20
4. Claim "lost password" on Email account - In most cases, this will trigger the email carrier to send a one-time password to the phone on file. With this, the sim swapper has now elevated their attack to taking over the users email.
5. Assume userid is same on email and exchange - Most users like [email protected] will also have an exchange account userid of JYellen
6. Claim lost password on Exchange - With the guessed userid the attacker can file a lost password claim. Crappy exchanges will then email a lost password link to your email. Once they change the password, they still need the 2FA to gain full access. Also, in some cases, the user database leak, like with YahooMail, will include the password. If users recycle their password, then attackers can get userid/password for your email and your exchange.
7. Claim lost phone (2FA) on Exchange - Some exchanges, incredibly, will let users simply strip the Authenticator 2FA off their account by claiming "lost 2FA". This will trigger a validation email, but since the hacker already hacked the email, they can answer that challenge.

Few ways to prevent this:

• Don't use same user-id or same passwords on accounts. If JYellen didn't reuse her username on cmail and the exchange, this linkage would have broken.
• Don't use the same email on your exchange as the forums. If JYellen would not have used her cmail on both CoinMarketCap site and the exchange, this link would have been broken.
• Tighten security on your email - Some email providers allow users to disable the "lost password" and "lost 2FA" features on the email account. This means if you lose your email password or email 2FA, you give them permission to delete your account. Many attacks don't guess your password, they just claim to be you and that the password is lost or forgotten.
• Use better 2FA - Ultimately crappy "lost password / 2FA" workflows are not your fault and can't be avoided, but sometimes better 2FA can help. If you use hardware-2FA they often have different workflows than the "lost phone" workflow. Basically, you want it to be as difficult as possible to navigate a lost password or lost 2FA situation. So choose the one that is the hardest to reset.
• Don't keep funds on exchange - The problem with exchanges is that you put your trust in the exchange to maintain some semblance of good sense. Unfortunately when exchanges get thousands of lost password tickets every day, they are often tempted to loosen the requirement for password resets. Often at the behest of the very customers they are trying to secure. If you simply stop trusting the exchanges to hold your balance week after week, then you can secure your accounts better (sometimes) outside of an exchange. This way, you are the only one you have to trust, not a password-reset admin.

In a perfect world, exchanges would lock accounts down for weeks if someone claiming to be you said they lost their phone with all their 2FA on it. But the world isn't perfect. Coinbase recently admitted that their lost secret workflow was flawed.

Just be careful out there.