Coinbase has disclosed that personal client data was compromised in an incident identified on May 11. The damage from the hack could reach up to $400 million.
What Happened
Importantly, the breach did not occur through technical vulnerabilities, but rather through the bribery of contractors from overseas call centers.
According to a filing submitted to the U.S. Securities and Exchange Commission (SEC) on May 14, the incident was initiated by a group of unknown individuals who sent Coinbase a ransom demand on May 11. The letter claimed the attackers had obtained internal company documents and customer account data.
The investigation revealed that the information had indeed been leaked — it had been accessed by contractors and support personnel based outside the United States. Coinbase had previously identified suspicious activity involving these individuals, terminated their employment, and strengthened security measures. However, it later emerged that these events were all part of a coordinated attack.
What Data Was Leaked and What Remained Secure
Coinbase confirmed that the attackers gained access to the following customer information:
- Full names, addresses, phone numbers, and email addresses
- Last four digits of Social Security Numbers (SSNs)
- Partially masked bank account numbers
- ID photos (driver’s licenses and passports)
- Account information, including balances and transaction history
- Internal documents and correspondence accessible to support agents
However, the following data was not compromised:
- Login credentials and passwords.
- Two-factor authentication (2FA) codes.
- Private keys.
- Coinbase’s hot and cold wallets.
- Customer funds.
- Prime client accounts.
Financial Impact
Coinbase estimates the potential cost of remediation efforts to be between $180 million and $400 million. Instead of paying the demanded $20 million ransom, the company has announced a $20 million reward for information leading to the identification and arrest of those responsible.
Next Steps
Coinbase has pledged to:
- Reimburse losses to clients who fell victim to social engineering and transferred funds to scammers.
- Tighten checks on large transactions.
- Add mandatory warnings about potential scams.
- Launch a U.S.-based customer support center and enhance internal oversight.
- Expand tools for suspicious activity analysis and simulated attack scenarios.
- Inform users as new details emerge.
How to Protect Yourself
The company reminded customers that it never asks for passwords, 2FA codes, or seed phrases. Under no circumstances will Coinbase employees request users to transfer assets to “new” or “safe” wallets.
Coinbase recommends users:
- Enable wallet allow-listing.
- Use hardware keys for two-factor authentication.
- Immediately lock accounts if fraud is suspected.
- Ignore any suspicious calls or emails.
All affected users received an email with detailed instructions from no-reply@info.coinbase.com on May 15 at 7:20 a.m. ET.
Context
The incident comes amid a broader surge in threats targeting the crypto industry, with social engineering tactics becoming increasingly common. As the largest publicly traded crypto exchange in the U.S., Coinbase has frequently reported on improvements to its security infrastructure. However, the breach underscores the vulnerability of global support operations — particularly when external contractors are involved.
Coinbase stated that the investigation is ongoing and that the final financial impact may be higher or lower than the initial estimates.
Previously, crypto investigator ZachXBT noted that Coinbase appears particularly vulnerable to such attacks — according to him, no other centralized exchange (CEX) faces as many incidents involving social engineering and insider access.
This post is for informational purposes only and is not an ad or investment advice. Please do your own research making any decisions.