Coinbase is grappling with a significant data breach that exposed personal information of a small portion of its customers, potentially costing the company up to $400 million, according to a regulatory filing released on Thursday. The compromised data included names, email addresses, phone numbers, partial Social Security numbers, masked bank account details, and government-issued IDs, but importantly, login credentials and private keys were not accessed, according to Coinbase. The company clarified that "rogue overseas support agents" were bribed by cybercriminals to access personal data on less than 1% of Coinbase’s monthly transacting users (MTUs). Coinbase also assured users that prime accounts remained unaffected and promised reimbursement for any customers impacted by subsequent scams.
The breach came to light after Coinbase received a ransom demand via email on May 11 from an anonymous hacker who claimed to possess internal documents and customer data. The hacker demanded $20 million in Bitcoin to prevent the release of the stolen information. Coinbase CEO Brian Armstrong publicly refused to pay the ransom, instead announcing a $20 million reward fund for information leading to the arrest and conviction of those responsible.
In a company blog post, Coinbase warned that although passwords and private keys remained secure, the leaked information could facilitate social engineering scams where attackers impersonate Coinbase support to trick users into handing over funds. The company pledged to fully reimburse victims of such scams.
The breach was reportedly enabled by hackers bribing multiple third-party contractors and overseas support staff to access internal systems. Coinbase said it had identified and terminated those employees involved.
Following the disclosure, Coinbase’s stock price fell by more than 6.5%. The company estimates the financial impact of the breach will range between $180 million and $400 million.
Separately, the U.S. Securities and Exchange Commission (SEC) is reportedly reviewing Coinbase’s historical user verification metrics, focusing on previously reported “verified user” numbers, raising concerns about its customer verification practices. However, Coinbase denies any current probe regarding its know-your-customer (KYC) or Bank Secrecy Act compliance. Chief Legal Officer Paul Grewal described the SEC’s inquiry as a “hold-over” from the prior administration concerning a metric Coinbase ceased reporting over two years ago, which had been publicly disclosed. Despite the SEC dropping an earlier lawsuit accusing Coinbase of operating without proper registration, the regulator’s interest persists, although Coinbase aims to resolve the matter soon.
Overall, Coinbase faces a dual challenge: managing the fallout and financial consequences of a major cyberattack while navigating ongoing regulatory scrutiny.
