Coinbase Data Breach Impacts 69,461 Individuals

In a shocking revelation, cryptocurrency exchange Coinbase has disclosed that a recent data breach exposed sensitive information belonging to over 69,000 individuals. The breach, which was initially reported in an SEC filing, involved rogue contractors who stole data on under 1% of Coinbase's users.

The Breach: A Coordinated Campaign

According to Coinbase, the breach was part of a single coordinated campaign that successfully exfiltrated internal data from their systems. The attackers, who claimed to have paid overseas contractors in support roles to extract this information, leveraged their legitimate access to gain unauthorized entry into Coinbase's internal systems.

Ransom Demand and Response

The company received a ransom demand from a threat actor claiming to have customer and internal data. However, Coinbase promptly responded by terminating the involved personnel, boosting fraud monitoring, and alerting impacted users. The company has also implemented stronger security controls and monitoring across all locations to prevent future incidents.

Exposed Data: What Was Stolen?

The security breach did not expose passwords, private keys, or customer funds. Exposed data included contact details, partial SSNs, bank info, ID images, account history, and limited internal documents. In a statement published on its website, Coinbase explained that the attackers targeted their customer support agents overseas, using cash offers to convince them to copy data in their customer support tools.

Consequences and Repercussions

The company is estimating $180M-$400M in costs from the breach, mainly for remediation and customer reimbursements. Coinbase will also be reimbursing scammed retail users after verification. The final impact of the breach remains under review.

A New Era of Security

Coinbase is taking proactive steps to strengthen its security measures. The company is opening a new support hub in the U.S., adding stronger security controls, and monitoring across all locations. Coinbase is also boosting investment in insider-threat detection and response, simulating threats to find weaknesses, and keeping users informed throughout the investigation.

A Message from Coinbase

"In these instances of such personnel accessing data without business need were independently detected by the Company's security monitoring in the previous months," reads the filing with SEC. "Upon discovery, the Company had immediately terminated the personnel involved and also implemented heightened fraud-monitoring protections and warned customers whose information was potentially accessed in order to prevent misuse of any compromised information."

The Company Stands Firm Against Threats

Coinbase has concluded that these prior instances of improper data access were part of a single campaign (the “Incident”) that succeeded in taking data from internal systems. The company has not paid the threat actor's demand and is cooperating with law enforcement in the investigation of this Incident.

Stay Informed

Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest updates on this developing story.