Coinbase Data Breach – Exposure Of Customer Pii And Government Ids

Coinbase experienced an insider breach involving bribed overseas support agents who exfiltrated sensitive customer data, impacting less than 1% of active users. The attackers used the stolen information for social engineering and attempted to extort $20 million from Coinbase. In response, Coinbase refused the ransom, launched a $20 million bounty for leads on the criminals, and implemented a series of security and remediation measures.

Severity Level: High

INCIDENT OVERVIEW:

The Breach: How It Happened

1. The breach was a result of a sophisticated social engineering campaign executed by an advanced threat actor. The attacker tricked an employee into believing they were engaging with a legitimate internal support request.
2. The perpetrator allegedly acquired the information by paying multiple contractors or employees in support roles outside the United States. These individuals, who had access to internal Coinbase systems for their job functions, collected customer account details and internal documentation.
3. Once social trust was gained, the attacker obtained remote access to the employee’s system.
4. After initial access was established, the adversary leveraged internal tools to browse customer support dashboards and extract user data. Although Coinbase’s incident response team quickly contained the breach within a short time window, significant sensitive data was already exposed.

What Was Compromised

1. According to Coinbase, the exposed information includes:
2. Name, address, phone, and email.
3. Masked Social Security (last four digits only).
4. Masked bank-account numbers and some bank account identifiers.
5. Government‑ID images (e.g., driver’s license, passport).
6. Account data (balance snapshots and transaction history); and
7. Limited corporate data (including documents, training material, and communications available to support agents).
8. Coinbase emphasized that the breach did not impact the security of customer funds, as the involved contractors and employees lacked access to financial systems and the attacker was not able to initiate any transactions.
9. However, the exposed data could be used for social-engineering attacks, such as phishing or identity theft, prompting the company to bolster its anti-fraud measures.

Lessons Learned

1. The support function being operated overseas and possibly through third-party vendors created a weak point in Coinbase’s internal control perimeter. It is recommended to minimize or remove sensitive data access for third-party contractors or overseas vendors. Move critical support functions onshore with stricter compliance oversight.
2. Agents accessed more PII than operationally necessary. Lesson learnt: Enforce Least Privilege & Access Segmentation.
3. Employees were vulnerable to bribery and coercion, possibly due to insufficient vetting, training, or cultural/contractual enforcement.

Recommendations:

1. Turn on withdrawal allow listing —Only permit transfers to wallets that you are confident you fully control and where the seed phrase is secure and was not provided to you or shared with anyone.
2. Enable strong 2FA —Hardware keys are best.
3. Lock first, ask later —If something feels off, lock your account in.
4. Conduct interactive security awareness training for all employees.
5. Implement behavioral-based anomaly detection across support and access systems.
6. Enforce principle of least privilege to restrict attacker lateral movement.
7. Enforce Just-In-Time (JIT) access and monitor privileged account usage rigorously.
8. Enhance EDR capabilities to detect and block unauthorized screen sharing, remote access, and tool execution.
9. Establish automated playbooks to isolate sessions in case of suspected compromise.
10. Review and tighten internal support workflows to prevent trust-based access without cross-verification.

Source:

• https://www.bleepingcomputer.com/news/security/coinbase-discloses-breach-faces-up-to-400-million-in-losses/
• https://www.sec.gov/Archives/edgar/data/1679788/000167978825000094/coin-20250514.htm#:~:text=On%20May%2011%2C%202025%2C%20Coinbase%2C%20Inc.
• https://www.coinbase.com/blog/protecting-our-customers-standing-up-to-extortionists

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.