Data breaches frequently originate from external threats; however, in some cases, the danger lurks within the organization itself. Recently, cryptocurrency platform Coinbase revealed that cybercriminals bribed support personnel—both internal staff and contractors situated outside the U.S.—who possessed access to the company’s systems. These insiders divulged customer information and then demanded a hefty ransom of $20 million to prevent the information from being leaked.

The ransom request was reported to Coinbase on May 11, shortly before the company officially alerted the Securities and Exchange Commission (SEC) about the incident. The organization has asserted that the employees involved have been terminated and that the matter was reported to law enforcement once their unauthorized access was discovered. Nonetheless, they managed to leak data to the attackers.

Overview of the Coinbase Incident

The perpetrators, aided by the insiders, gained access to personally identifiable information (PII) of around one million people—representing a mere 1% of Coinbase’s total users. According to a detailed blog post from Coinbase regarding the breach, the stolen data encompassed the following:

• Full names, residential addresses, phone numbers, and email addresses
• Last four digits of Social Security numbers
• Masked data from bank accounts and related identifiers
• Images of government-issued IDs such as driver’s licenses and passports
• Account-related information, including transaction history and balance summaries
• Corporate information accessible to support personnel

It’s worth noting that the breach did not expose login credentials, two-factor authentication (2FA) codes, or private keys. Furthermore, hackers had no access to customer funds, accounts on Coinbase Prime, or any customer wallets, whether hot or cold.

Coinbase has refused to pay the $20 million ransom but has instead offered an equal amount as a reward for information leading to the attackers’ identification. The company is also increasing its support based in the U.S. to better oversee and mitigate the effects on customer accounts.

Actions for Coinbase Customers

All affected users received email notifications from the address [email protected] at 7:20 a.m. on May 15. Accounts flagged in relation to the breach will be subjected to multiple identity verification checks prior to processing large withdrawals, which may cause delays in transactions.

Initially, vigilance is crucial for those impacted. There is a heightened risk of impersonation scams as the attackers might pose as representatives from Coinbase to deceive users into transferring their assets. Coinbase will never solicit personal credentials (including passwords and 2FA codes) or ask clients to send funds to a “secure” account or vault. Moreover, they will not reach out via phone or text for seed phrases or wallet addresses, nor will they direct customers to unfamiliar support numbers.

Additionally, fortifying account security is advisable. Users should consider enabling two-factor authentication through a hardware key and utilizing withdrawal allow-listing. This feature restricts transfers to known and trusted accounts in the address book. In the event of suspected account compromise, secure the account immediately and contact [email protected].

Lastly, Coinbase aims to reimburse customers who have unintentionally transferred funds to the attackers. More comprehensive details can be found in the email notification sent out.