Coinbase Hackers Had Access to Customer Data Since January

Coinbase Hackers Had Access to Customer Data Since January

Hackers had near-constant access to some of Coinbase Global Inc.’s most valuable customer data since January, according to a person familiar with the incident who asked not to be named discussing company matters. The largest US crypto exchange disclosed earlier on Thursday that hackers bribed customer representatives to steal the data and then demanded a $20 million ransom to delete it.

Coinbase began noticing unusual activity from some of these representatives in January, the company confirmed in an interview with Bloomberg News. The hackers bribed customer service representatives to get access to names, dates of birth, addresses, nationalities, government-issued ID numbers, some banking details and details about when customer’s accounts were created and their balance, the person familiar with the situation said.

This information could be used to attempt to impersonate Coinbase and convince customers to let the hackers into their account. It could also be used to impersonate the victims with other service providers to attempt to convince them to let hackers into other financial accounts they might own. The threat actors had bribed enough customer service representatives to achieve effectively on-demand access to Coinbase customer information in the past five months, the person said.

In an interview with Bloomberg News, Chief Security Officer Philip Martin disputed the near constant access assertion, saying Coinbase pulled the agents’ access as soon as it was discovered they were improperly sharing information. Therefore the hackers “did not have persistent access over the course of the entire period,” he said. “What these attackers were doing was finding Coinbase employees and contractors based in India who were associated with our business process outsourcing or support operations, that kind of thing and bribing them in order to obtain customer data,” Martin said.

Coinbase detected the agents and quarantined them and fired them, as soon as the company noticed the activity. “So there were a number of specific bribery incidents that this attack, that this threat actor is claiming credit for throughout the course of that time, but they did not have persistent access over the course of the entire period,” he said.

The hackers had access to this data as recently as Wednesday, the person familiar with the incident said. Martin said “we have no reason to believe that is true at all” but could not “prove a negative.”

A High Net Worth Individual’s Data Was Accessed

Bloomberg News is aware of one notable, high net worth individual’s data being accessed, whom Bloomberg is not disclosing for privacy reasons. David Jeong, a crypto founder in New York, said he received a text from unidentified number on April 3, in which he was asked to verify the login for his personal account. He then received another text from a different number on May 4. Jeong said he hasn’t used Coinbase OTP for two years.

Ransom Demand and Reimbursement

Coinbase’s hackers deployed what’s called a social engineering attack — where criminals use people to gain unauthorized access to data, rather than exploiting flaws in computer code. This type of threat has become increasingly popular in crypto, resulting in recent major incidents like the $1.5 billion hack of crypto exchange Bybit in February.

Meanwhile, the New York Times reported that the Securities and Exchange Commission has been investigating whether Coinbase misstated its user numbers in past disclosures as part of an inquiry that began during the Biden administration. “This is a hold-over investigation from the prior administration about a metric we stopped reporting two and a half years ago, which was fully disclosed to the public,” Paul Grewal, Coinbase’s chief legal officer, said in a statement.

Coinbase Shares Slip

Coinbase shares slipped 7% to $244.89 as of 3:03 p.m. in New York. The incident comes as Coinbase is set to join the S&P 500 index next week. Inclusion in the benchmark is becoming more important for companies in a world increasingly dominated by passive investment funds, wrapping Coinbase’s stock into numerous trackers following the index.