Coinbase, a major U.S. cryptocurrency exchange, confirmed that fewer than 1% of its customers had their sensitive data compromised after threat actors bribed overseas customer service support agents to gain unauthorized access to internal systems. The breach exposed customers' names, phone numbers, home addresses, email addresses, masked bank account numbers, the last four digits of Social Security numbers, government ID images, and certain corporate data. While private keys, credentials, and funds remained secure, Coinbase warned of potential follow-up social engineering attacks. The company refused to pay a $200 million ransom demand, instead allocating the amount to a bounty program for information leading to the attackers' arrest. The incident underscored critical gaps in insider threat detection and access governance, particularly as operations scale globally through outsourcing.
Source: https://www.scworld.com/brief/insider-breach-compromises-coinbase-customer-info
TPRM report: https://www.rankiteo.com/company/coinbase
"id": "coi0985509112725",
"linkid": "coinbase",
"type": "Breach",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Fewer than 1% of total '
'customers',
'industry': 'Financial Services (Cryptocurrency)',
'location': 'United States',
'name': 'Coinbase',
'size': 'Large',
'type': 'Cryptocurrency Exchange'}],
'attack_vector': ['Bribery of Insiders', 'Unauthorized Systems Access'],
'customer_advisories': ['Notification of data breach and risks of follow-up '
'attacks'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': 'Fewer than 1% of Coinbase '
'customers (exact number '
'undisclosed)',
'personally_identifiable_information': ['Names',
'Phone Numbers',
'Home Addresses',
'Email Addresses',
'Last four digits of '
'Social Security '
'Numbers',
'Government ID '
'Images'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Contact Information',
'Financial Data (masked)',
'Government ID Images',
'Corporate Data']},
'description': 'Major U.S. cryptocurrency exchange Coinbase confirmed that '
'fewer than 1% of its customers had their data compromised by '
'threat actors who bribed its overseas customer service '
'support agents for systems access. The breach enabled '
"exfiltration of customers' names, phone numbers, home "
'addresses, email addresses, masked bank account numbers, the '
'last four digits of Social Security numbers, government ID '
'images, and certain corporate data. Private keys, '
'credentials, or funds were not compromised. Coinbase warned '
'customers of imminent social engineering attacks and refused '
'to pay a $200 million ransom, instead placing the amount in a '
'bounty program for information leading to the arrest or '
'conviction of the attackers.',
'impact': {'brand_reputation_impact': 'High (Potential loss of trust due to '
'insider breach and data exposure)',
'data_compromised': True,
'identity_theft_risk': 'High (Exposed PII including SSN digits, '
'addresses, and government IDs)',
'payment_information_risk': 'Moderate (Masked bank account numbers '
'exposed)',
'systems_affected': ['Customer Support Systems']},
'initial_access_broker': {'entry_point': 'Bribed overseas customer service '
'support agents',
'high_value_targets': ['Customer PII',
'Corporate Data']},
'lessons_learned': 'Importance of strengthening insider threat detection and '
'access governance, especially in outsourced and globally '
'distributed operations.',
'motivation': ['Financial Gain', 'Data Theft'],
'post_incident_analysis': {'corrective_actions': ['Bounty program for '
'attacker information',
'Customer notifications and '
'advisories'],
'root_causes': ['Inadequate insider threat '
'detection',
'Weak access controls for '
'third-party support agents',
'Lack of oversight for overseas '
'operations']},
'ransomware': {'data_exfiltration': True, 'ransom_demanded': '$200 million'},
'recommendations': ['Enhance insider threat detection programs',
'Implement stricter access governance for third-party '
'vendors',
'Conduct regular audits of customer support systems',
'Invest in employee training to prevent bribery and '
'social engineering',
'Monitor dark web for exposed data'],
'references': [{'source': 'SiliconANGLE'},
{'source': 'Swimlane Lead Security Automation Architect Nick '
'Tausek'}],
'response': {'communication_strategy': ['Public disclosure',
'Customer advisories on social '
'engineering risks'],
'containment_measures': ['Warning customers about social '
'engineering risks'],
'incident_response_plan_activated': True,
'remediation_measures': ['Bounty program for attacker '
'information ($200M)']},
'stakeholder_advisories': ['Warning about potential social engineering '
'attacks'],
'threat_actor': ['Unknown (Bribed Insiders)', 'External Attackers'],
'title': 'Coinbase Customer Data Breach via Insider Threat',
'type': ['Data Breach', 'Insider Threat', 'Social Engineering'],
'vulnerability_exploited': ['Weak Insider Threat Detection',
'Inadequate Access Governance']}