Insiders within Coinbase leaked user data causing a major cybersecurity incident and exposing critical user data earlier this month.
On May 11, 2025 the company received ransom demands from an unknown threat actor who claimed to have information about Coinbase customer accounts and internal Coinbase documents including customer service and account management systems materials.
As reported by CyberNews, the exact number of affected users wasn’t mentioned. The company has said it accounts for “less than 1% of the Coinbase monthly transacting users.”
A publicly traded company with the largest U.S. based cryptocurrency exchange, Coinbase has over 100 million users.
Disturbing amount of info stolen
While the number of affected users may not be catastrophic, the data that was stolen certainly is as it includes name, address, phone number, email address, Social Security number (last four digits), masked bank account numbers (and some identifiers) and government ID images (driver’s licenses and passports).
The breach also includes account data, such as balance snapshots and transaction history. Some corporate data was also taken, which includes training material and communications available to support agents. No passwords or private keys were included.
The data that was stolen includes name, address, phone number, email address, Social Security number (last four digits), masked bank account numbers, and government ID images.
The ongoing internal Coinbase investigation has found that this ransomware incident was part of a single campaign, and that the ransomware email is credible. However, Coinbase will not be paying the ransom. The company will be cooperating with law enforcement.
Coinbase’s ongoing internal investigation has found that the source of the breach is cybercriminals who bribed and recruited employees in support roles or contractors outside of the U.S. who had access to internal systems.
Coinbase has found instances of personnel accessing data without a legitimate business need in previous months through their independent monitoring systems.
Coinbase responded by terminating the involved employees and contractors, and by rolling out heightened fraud-monitoring protections. A new support hub will be opening in the U.S., and the company will be taking measures to increase defenses and safeguards, including requiring extra ID checks on large withdrawals and mandatory scam awareness prompts for flagged accounts.
Coinbase has warned users that they may experience some delays as high risk transactions are monitored. They’ve also contacted customers who may have had their information compromised.
Instead of paying the $20 million ransom demand, Coinbase has instead created a $20 million reward fund as a bounty, offering it to whomever can provide information that leads to the arrest and conviction of the criminals responsible for the attack.
The company estimates the remediation could cost it between $180 million and $400 million, and it plans to voluntarily reimburse affected customers who directly lost funds to the hackers as a result of this incident.
How to stay safe after the breach
Coinbase warns its users they will likely experience an influx of imposters and scammers, perhaps related to this breach and perhaps not. They remind users that they will never ask for your password, 2FA codes or ask that you transfer your assets to a specific or new address, account, vault or wallet.
Additionally, Coinbase will never call or text you to give you a new seed phrase or wallet address to move your funds to. If you receive a call like this, you are encouraged to hang up the phone immediately. Coinbase will never ask you to contact an unknown number to reach them.
The usual rules of phishing also apply here: Never click on any unexpecting links, attachments or QR codes that are sent to you in any manner. If you receive something that appears to be from someone you do know, confirm it with them in an independent manner.
When going online, make sure you have one of the best antivirus software programs installed and up to date – these programs have VPNs, password managers and safe browsers as well as other features that can help provide you with an added layer of security.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
