8 Shocking Claims from Coinbase Data Breach Lawsuit
A class action lawsuit has been filed against TaskUs, the outsourcing firm contracted by Coinbase, alleging that they failed to safeguard sensitive data entrusted to the exchange, resulting in one of the largest and most damaging security breaches involving cryptocurrency to date.
At Least 70,000 People Were Affected
At least 70,000 people were affected when sensitive data fell into the hands of criminals, with up to $400 million lost by Coinbase customers alone. The breach had "catastrophic" consequences, with many victims losing their retirement savings and being bombarded by daily text messages and phone calls from criminals pretending to be Coinbase employees.
TaskUs Claims Just Two People Were Involved
However, the court filing alleges that TaskUs' public statements belie a far broader and coordinated criminal campaign involving dozens, if not hundreds of TaskUs employees, and stretching into the supervisory level of TaskUs' operations, including managers. It is claimed that up to 300 employees ended up being terminated due to their involvement in the data breach.
The Data Breach Was First Identified in January 2025
The plaintiffs claim that the data breach was first identified in January 2025 - four months before it was eventually made public when Coinbase made a statement. This meant victims didn't have the opportunity to take necessary precautions to protect themselves, with one victim suffering "a substantial loss of his cryptocurrency assets" because the incident wasn't disclosed in a timely way.
TaskUs Failed to Monitor Computer Network
The lawsuit accuses TaskUs of failing to monitor the computer network that was responsible for storing sensitive information belonging to victims. This, according to the filing, led to "present and imminent risks of fraud, identity theft, and physical attacks" against the affected customers.
Exploited Information Can Be Used for Identity Theft and Physical Attacks
The filing claims that stolen data can be exploited in various ways, including:
* Converting cryptocurrency assets * Opening new financial accounts in class members' names * Taking out loans in their names * Using their identities to obtain government benefits * Filing fraudulent tax returns using their information * Obtaining driver's licenses in Class Members' names * Giving false information to police during an arrest
This poses a significant threat to the affected customers, with lawyers estimating that up to $400 million may have been lost so far.
Lawyers claim that sensitive information was passed on to criminals by employees who used their cell phones to take photographs of data on their computer screens - even though TaskUs had a policy prohibiting these devices from being taken to their desks. Sources with knowledge of the hack, quoted in the court filing, go on to claim that employees were paid a staggering $200 per image, meaning that someone could double their income by sending just 20 or 30 pictures to the criminals masterminding this scheme.
The document adds: "Upon information and belief, TaskUs employees generated half-a-million dollars or more from bribes paid by criminals to exfiltrate Coinbase users' sensitive PII. Even at the lowest range of that estimate, that amount represents the average annual salaries of more than 100 TaskUs employees - a staggering sum in India."
Worryingly, it appears malicious actors began to recruit TaskUs employees in 2024, meaning the leak could have lasted for many months: "As early as September 2024, TaskUs employee Ashita Mishra joined the conspiracy by agreeing to sell highly sensitive Coinbase user data to those criminals."
It's alleged that the scheme was blown wide open on Jan. 1 2025 when Mishra was found to have a phone on her person at her desk, which was then searched. "TaskUs determined that Ms. Mishra’s phone contained data belonging to more than 10,000 Coinbase customers. TaskUs determined that Ms. Mishra had operated undetected … On some days, Ms. Mishra took as many as 200 pictures of Coinbase user data."
While Coinbase has previously forecast that about 1% of monthly active users were targeted, lawyers think this is a "vast underestimate" - especially considering the concerned messages shared on social media. TaskUs is facing a total of nine counts, with the plaintiffs demanding compensation and reforms to the company's infrastructure.
Plaintiffs are fearful that they may be targeted for physical attacks based on criminals' knowledge of their cryptocurrency holdings. The filing says: "Data thieves can commit a wide range of crimes including, for example, converting plaintiffs’ cryptocurrency assets, opening new financial accounts in class members’ names, taking out loans in their names, using their identities to obtain government benefits, filing fraudulent tax returns using their information, obtaining driver’s licenses in Class Members’ names, and giving false information to police during an arrest."
Had TaskUs properly monitored these electronic systems, they would have discovered the data breach sooner or prevented it altogether. The security of plaintiffs' and class members' identities is now at risk because of the defendant's wrongful conduct.
Conclusion
The Coinbase data breach lawsuit makes explosive claims about how the incident unfolded, with lawyers alleging that TaskUs failed to safeguard sensitive data entrusted to the exchange, resulting in a catastrophic breach. The affected customers face significant risks of fraud, identity theft, and physical attacks, with some having lost their retirement savings and being bombarded by daily text messages and phone calls from criminals.
The lawsuit demands compensation and reforms to the company's infrastructure, highlighting the devastating impact that the breach continues to have on victims. It is a stark reminder of the importance of robust cybersecurity measures and the need for companies like TaskUs to prioritize data protection.