Coinbase: Coinbase reveals insider breach did take place, customer info compromised

Coinbase Confirms Insider Breach Affecting 30 Customers

Coinbase disclosed an insider breach in which a contractor improperly accessed the data of approximately 30 customers without authorization. The incident, detected by the company’s security team last year, led to the contractor’s termination. Affected users were notified and provided with free identity theft protection services, while regulators were also informed.

While details remain limited, the breach has been linked to screenshots posted and later deleted by the ransomware group Scattered Lapsus Hunters (SLH) on Telegram. The images allegedly displayed Coinbase’s internal support interface, containing sensitive customer data, including names, email addresses, dates of birth, phone numbers, KYC details, wallet balances, and transaction histories. However, Coinbase has not confirmed whether the contractor was directly tied to SLH, suggesting instead that they may have been bribed, mirroring a similar 2025 incident.

In May 2025, cybercriminals bribed overseas support agents to steal customer data, resulting in a $400 million loss for Coinbase. The attackers demanded a $20 million ransom, which the company refused to pay, opting instead to offer a $20 million bounty for information leading to their arrest. No passwords, private keys, or funds were compromised in that attack, and affected customers were reimbursed if they were tricked into sending money to the attackers. Coinbase Prime accounts remained unaffected in both incidents.

Source: https://www.techradar.com/pro/security/coinbase-reveals-insider-breach-did-take-place-customer-info-compromised

Coinbase cybersecurity rating report: https://www.rankiteo.com/company/coinbase

"id": "COI1770215755",
"linkid": "coinbase",
"type": "Breach",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': '30',
                        'industry': 'FinTech',
                        'name': 'Coinbase',
                        'type': 'Cryptocurrency Exchange'}],
 'attack_vector': 'Insider Access',
 'customer_advisories': 'Affected users notified and provided with free '
                        'identity theft protection services',
 'data_breach': {'data_exfiltration': 'Yes (screenshots posted on Telegram)',
                 'file_types_exposed': 'Screenshots (images)',
                 'number_of_records_exposed': '30',
                 'personally_identifiable_information': 'Names, email '
                                                        'addresses, dates of '
                                                        'birth, phone numbers',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information (PII)',
                                              'KYC details',
                                              'Wallet balances',
                                              'Transaction histories']},
 'description': 'Coinbase disclosed an insider breach in which a contractor '
                'improperly accessed the data of approximately 30 customers '
                'without authorization. The incident was detected by the '
                'company’s security team last year, leading to the '
                'contractor’s termination. Affected users were notified and '
                'provided with free identity theft protection services, while '
                'regulators were also informed. The breach has been linked to '
                'screenshots posted and later deleted by the ransomware group '
                'Scattered Lapsus Hunters (SLH) on Telegram, allegedly '
                'displaying Coinbase’s internal support interface with '
                'sensitive customer data.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage',
            'data_compromised': 'Names, email addresses, dates of birth, phone '
                                'numbers, KYC details, wallet balances, '
                                'transaction histories',
            'identity_theft_risk': 'High (free identity theft protection '
                                   'services offered)',
            'systems_affected': 'Internal support interface'},
 'initial_access_broker': {'entry_point': 'Contractor access',
                           'high_value_targets': 'Customer data'},
 'investigation_status': 'Ongoing',
 'motivation': 'Financial Gain (potential bribery)',
 'post_incident_analysis': {'corrective_actions': 'Contractor termination, '
                                                  'customer notifications, '
                                                  'identity theft protection '
                                                  'services',
                            'root_causes': 'Insider threat (potential '
                                           'bribery)'},
 'ransomware': {'data_exfiltration': 'Yes (via screenshots)'},
 'references': [{'source': 'Coinbase Disclosure'},
                {'source': 'Telegram (Scattered Lapsus Hunters)'}],
 'regulatory_compliance': {'regulatory_notifications': 'Yes'},
 'response': {'communication_strategy': 'Public disclosure, customer '
                                        'notifications',
              'containment_measures': 'Contractor terminated',
              'incident_response_plan_activated': 'Yes',
              'remediation_measures': 'Affected users notified, free identity '
                                      'theft protection services provided'},
 'threat_actor': 'Scattered Lapsus Hunters (SLH)',
 'title': 'Coinbase Insider Breach Affecting 30 Customers',
 'type': 'Insider Threat'}