The Coinbase Hack Compromised One Million Customers' Information

Data breaches are most often the work of external bad actors, but sometimes the call comes from inside the house. Cryptocurrency exchange Coinbase has disclosed that hackers paid off support agents—both employees and contractors located outside the U.S.—who had access to company systems to provide customer data and then demanded a $20 million ransom not to leak the information.

Coinbase was notified of the ransom demand on May 11, just a few days before reporting the incident to the Securities and Exchange Commission (SEC). The company has said the staff involved were fired and reported to law enforcement when their unauthorized access was detected, but they were still able to provide information to attackers.

What happened with Coinbase?

The threat actors, with the help of insiders with access to Coinbase systems, were able to collect personally identifiable information on roughly one million individuals (just 1% of Coinbase customers). According to a Coinbase blog post detailing the incident, the compromised data included the following:

• Names, addresses, phone numbers, and emails

• Last four digits of Social Security numbers

• Masked bank account numbers and identifiers

• Government ID images, such as driver's licenses and passports

• Account data, such as balance snapshots and transaction history

• Corporate data available to support agents

The breach did not include login credentials, two-factor authentication (2FA) codes, or private keys, and hackers do not have access to customer funds, Coinbase Prime accounts, or customer hot or cold wallets.

Coinbase has said they are not paying the $20 million ransom and instead are offering those funds as a reward for information about the attack. The company is also expanding its U.S.-based support to monitor and manage the impact on customer accounts.

What Coinbase customers need to do

Coinbase sent email notifications from the address no-reply@info.coinbase.com to all affected customers—these messages went out at 7:20 a.m. on May 15. Flagged accounts will have to go through several ID checks to make large withdrawals, so you may experience delays with transactions.

If you were impacted by the breach, be on the lookout for impersonation scams. The aim of the attack, according to Coinbase, was to acquire customer information, reach out pretending to be from Coinbase, and use social engineering tactics to trick targets into transferring their money. Know that Coinbase will never ask for your credentials (including passwords and 2FA codes) or request that you transfer assets to another "safe" account, vault, or wallet, and they will never call or text you to give you a seed phrase or wallet address. They also will not ask you to contact an unknown number for customer support.

You can also take steps to secure your account, like enabling 2FA using a hardware key and turning on withdrawal allow-listing, which limits transfers to accounts in your address book that you know and trust. If you believe your account has been compromised, lock it down and contact security@coinbase.com.

Finally, Coinbase says they intend to reimburse customers who were tricked into sending funds to the attackers. You'll find more information in the notification email.