Coinbase Confirms Insider Breach Impacting 30 Customers in December Incident
Coinbase has disclosed an insider breach involving a contractor who improperly accessed the personal data of approximately 30 customers in December. The company confirmed the incident after threat actors known as Shiny Lapsus Hunters (SLH) briefly posted screenshots of an internal support interface on Telegram, revealing customer details such as names, email addresses, phone numbers, KYC information, wallet balances, and transaction histories.
The contractor, who no longer works with Coinbase, was detected by the company’s security team last year. Affected users were notified and provided with identity theft protection services, while regulators were informed as part of standard protocol. This breach is unrelated to a separate January 2025 incident involving TaskUs, an outsourcing firm that provides support services to Coinbase.
The screenshots shared by SLH suggest the group may have obtained the data through an insider or by circulating stolen information among threat actors. SLH has previously claimed to have bribed insiders at other firms, including CrowdStrike, to gain access to internal systems.
Rising Threats to Business Process Outsourcing (BPO) Firms
The incident highlights a growing trend of threat actors targeting BPO companies third-party firms handling customer support, IT services, and account management for organizations. Since BPO employees often have access to sensitive systems and data, they have become prime targets for attacks.
Common tactics include:
- Bribing insiders to steal or share customer information, as seen in the Coinbase and TaskUs breaches.
- Social engineering support staff to gain unauthorized access, such as the Clorox breach, where attackers impersonated an employee to compromise a Cognizant help desk agent, leading to a $380 million lawsuit.
- Compromising BPO employee accounts to access customer data, as in Discord’s October breach, where a support agent’s account at an outsourced provider was used to extract data from 5.5 million users.
Recent attacks on retailers like Marks & Spencer and Co-op have also involved social engineering against support personnel, prompting the U.K. government to issue guidance on mitigating such threats. The shift toward targeting BPOs reflects a broader strategy by threat actors to exploit third-party access rather than directly breaching corporate networks.
Marks and Spencer cybersecurity rating report: https://www.rankiteo.com/company/marks-and-spencer
Coinbase cybersecurity rating report: https://www.rankiteo.com/company/coinbase
Discord cybersecurity rating report: https://www.rankiteo.com/company/discord
TaskUs cybersecurity rating report: https://www.rankiteo.com/company/taskus
"id": "MARCOIDISTAS1770173590",
"linkid": "marks-and-spencer, coinbase, discord, taskus",
"type": "Breach",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '30',
'industry': 'FinTech',
'name': 'Coinbase',
'type': 'Cryptocurrency Exchange'}],
'attack_vector': 'Insider Access',
'customer_advisories': 'Affected users notified and provided with identity '
'theft protection services',
'data_breach': {'data_exfiltration': 'Yes (via Telegram screenshots)',
'number_of_records_exposed': '30',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'KYC Information',
'Transaction Histories',
'Wallet Balances']},
'date_detected': '2024-12',
'description': 'Coinbase disclosed an insider breach involving a contractor '
'who improperly accessed the personal data of approximately 30 '
'customers in December. The incident was confirmed after '
'threat actors known as Shiny Lapsus Hunters (SLH) posted '
'screenshots of an internal support interface on Telegram, '
'revealing customer details such as names, email addresses, '
'phone numbers, KYC information, wallet balances, and '
'transaction histories. The contractor was detected by '
'Coinbase’s security team and no longer works with the '
'company. Affected users were notified and provided with '
'identity theft protection services, while regulators were '
'informed as part of standard protocol.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Personal data (names, email addresses, phone '
'numbers, KYC information, wallet balances, '
'transaction histories)',
'identity_theft_risk': 'Yes',
'systems_affected': 'Internal support interface'},
'initial_access_broker': {'entry_point': 'Contractor access'},
'investigation_status': 'Completed',
'lessons_learned': 'Insider threats pose significant risks, especially in '
'third-party contractor relationships. Enhanced monitoring '
'and access controls are critical for mitigating such '
'breaches.',
'motivation': 'Data Theft, Financial Gain',
'post_incident_analysis': {'corrective_actions': 'Contractor terminated, '
'affected users notified, '
'identity theft protection '
'services provided, '
'regulatory notifications '
'completed',
'root_causes': 'Improper access by a contractor, '
'lack of sufficient monitoring for '
'insider threats'},
'recommendations': ['Implement stricter access controls for contractors and '
'third-party vendors',
'Enhance monitoring of internal systems for unauthorized '
'access',
'Provide regular security awareness training for '
'employees and contractors',
'Establish clear protocols for reporting and responding '
'to insider threats'],
'references': [{'source': 'Coinbase Disclosure'},
{'source': 'Shiny Lapsus Hunters (SLH) Telegram Post'}],
'regulatory_compliance': {'regulatory_notifications': 'Yes'},
'response': {'communication_strategy': 'Public disclosure, regulatory '
'notifications',
'containment_measures': 'Contractor terminated, affected users '
'notified',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Identity theft protection services '
'provided to affected users'},
'threat_actor': 'Shiny Lapsus Hunters (SLH)',
'title': 'Coinbase Insider Breach Impacting 30 Customers',
'type': 'Insider Threat'}