I have not regained access to my bitcoin account, in part because I have not contacted customer support to do so. I’ve been too busy regaining access and continuing to support my client base.

My account is locked, and I am pretty sure my funds are still there. It will be a significant loss, but not devastating as this was my non-primary investment account.

I still don’t know the full extent of my losses.

So far, my losses are primarily loss of billable time. I am not a litigious person, but I am also going to educate myself as to what ‘pain-and-suffering’ means. Both my personal and business bank accounts are ok. I now understand why banks do not use email addresses as the login id. The thief would not (easily) be able to align my email address with my bank login id.

Once through this, I plan disassociate any portion of my login id with my name.

If your crypto was stored on an exchange then this is par for the course; rule number one is that if you don't control the private keys, the coins are not yours.

You haven't even tried to regain access to it? Instead of spending time on HN you might want to reach out to Coinbase.

Agreed. Done. "Thanks for taking the time to contact us. We're currently receiving a high number of requests so we may take longer to respond, but our team is working hard to get to every inquiry quickly."

> I now understand why banks do not use email addresses as the login id. The thief would not (easily) be able to align my email address with my bank login id.

This is an important point and one I've been thinking about for years. There's so much discussion about using password managers and good password practices and 2fA but almost no discussion on how using a single identifier to log into all these various services is in itself a huge security vulnerability. If we had different login usernames for each service, gaining access to people's accounts would be that much more difficult.

Email should be reserved for communications and not double as a means for authentication.

Or get a domain with catch-all, and a different email for every service. Ideally not trivially guessable.

Coinbase has extensive access to mobile provider data. They can see when number ported and what phone the thief uses, but it's really hard to make decisions.

I understand that it's hard in the edge cases, but a port followed by account recovery within a short period of time should be enough of a red flag to immediately lock the account.

> A port followed by account recovery within a short period of time should be enough of a red flag to immediately lock the account

What happens if a legitimate customer's phone gets lost and they quickly transfer the number and reset their accounts?

I think they should do a video call verification.

If a customer loses the phone, and then ports the number instead of replacing it, and also forgets their password at the same time... yeah, I think it's fair to give them a bit of a hard time before letting them in.

Video verification sounds reasonable, as would some wait time. What's not reasonable in that situation is a self-service fully automated account recovery via SMS and e-mail verification followed by allowing withdrawals.

i thought coinbase did just this.... either made recoveries a multi-day thing, or disallowed transfers afterwards. maybe that was blockfi.