Coinbase Discloses Insider Data Breach Affecting Less Than 1% of Users

Coinbase, one of the world’s largest cryptocurrency exchanges, has publicly disclosed a data breach involving insider threats, revealing that a small number of overseas customer support agents were bribed to leak sensitive user data. While no funds or passwords were stolen, the incident affected less than 1% of the platform’s nearly 10 million monthly users.

What Happened?

According to a statement from Coinbase, unknown cybercriminals approached and successfully bribed a small group of customer support contractors working overseas—specifically in India. These insiders were offered cash to access internal customer service tools and copy sensitive user information.

What Data Was Exposed?

Although Coinbase confirmed that no passwords, private keys, or user funds were accessed, the threat actors did obtain a range of personally identifiable information (PII), including:

• Name, email, phone number, and physical address

• The last 4 digits of Social Security numbers

• Masked bank account numbers and partial banking information

• Government-issued ID images (e.g., driver's license, passport)

• Transaction history and account balances

• Limited internal support documents and training materials

This information was reportedly used to create a list of targets, whom attackers then contacted while impersonating Coinbase in attempts to extract crypto assets.

Extortion Attempt and Coinbase’s Response

On May 11, 2025, the attackers allegedly tried to extort $20 million from Coinbase, claiming to have stolen internal data and customer records. The company declined to pay and immediately launched a security investigation. All involved contractors have been fired, and law enforcement has been notified.

As part of its response, Coinbase:

• Is reimbursing any affected users who fell for phishing or social engineering scams

• Is enhancing ID checks for high-risk transactions

• Has created a $20 million reward fund for information leading to the identification and arrest of the attackers

No Financial Accounts Compromised

Coinbase emphasized that no customer funds were stolen, and Coinbase Prime accounts were not impacted. The breach was limited to customer data accessed via compromised support tools.

Steps for User Protection

To help users stay secure, Coinbase issued a set of best practices:

• Enable withdrawal allow-listing – Only allow transfers to pre-approved wallet addresses

• Turn on Two-Factor Authentication (2FA)

• Be cautious of impersonators – Coinbase will never ask users to move funds or reveal private keys

A Broader Warning for the Industry

This breach highlights the growing risk of insider threats in the crypto industry. While the technical systems may be hardened, human vulnerabilities remain a significant vector for compromise. It also underscores the importance of strong internal security training, auditing, and monitoring in companies that manage sensitive financial information.

By openly addressing the issue and offering both reparations and incentives to track the perpetrators, Coinbase aims to rebuild user trust and lead by example in incident transparency and crisis response.

Bottom Line: Coinbase is taking aggressive steps to investigate and mitigate the breach, safeguard customers, and pursue justice. Crypto users should remain vigilant, especially regarding impersonation scams and social engineering attempts.