Coinbase has confirmed a major data breach involving unauthorized access to customer information after hackers bribed overseas support staff. The incident, disclosed in an SEC filing on May 14, 2025, came to light when the company received an extortion email on May 11 demanding $20 million to prevent the public release of stolen data.
What Data Was Compromised?
- Personal Information: Names, postal and email addresses, phone numbers, and the last four digits of Social Security numbers.
- Financial Data: Masked bank account numbers, banking identifiers, and account balance details.
- Government IDs: Driver’s licenses, passports, and other identity documents.
- Transaction Histories: Records of user activity on the platform.
Coinbase clarified that passwords and private keys—critical for accessing crypto wallets—remained secure. The breach affected roughly 1% of users, though the exact number remains undisclosed.
How Did the Hackers Succeed?
The attackers exploited a social engineering scheme, bribing overseas support staff—primarily contractors and employees in India—to extract data. According to Coinbase Chief Security Officer Philip Martin, the hackers specifically targeted personnel with legitimate access to customer records as part of their roles in business process outsourcing.
Coinbase had detected suspicious activity as early as January 2025, terminating some employees for unauthorized access. However, the company only became aware of the broader campaign after receiving the extortion threat.
Coinbase’s Response
The company has refused to pay the $20 million ransom and is cooperating with law enforcement. Affected users have been notified, though specific protective measures—such as credit monitoring—were not detailed in the filing.
Legal repercussions are already emerging. Lynch Carpenter, a law firm specializing in data privacy, has launched an investigation into potential class-action claims. Preliminary estimates suggest the breach could cost Coinbase between $180 million and $400 million in remediation, legal fees, and regulatory penalties.
What’s Next?
While Coinbase disputes claims that hackers had “on-demand access” for months, the breach underscores vulnerabilities in third-party contractor oversight. The incident follows heightened fraud monitoring efforts by the exchange, raising questions about how such a lapse occurred despite prior warnings.
For now, users are advised to monitor their accounts for suspicious activity. The full fallout—financial, legal, and reputational—remains to be seen.
