Coinbase Is Dealing with the Fallout of a Recent Cyberattack

The breach impacted a “small subset” of users and included sensitive information such as names, email addresses, phone numbers

Crypto exchange Coinbase is dealing with the fallout of a recent cyberattack that exposed personal data of some of its customers and may cost the company up to $400 million, according to a regulatory filing.

The company said on Thursday that the breach impacted a “small subset” of users and included sensitive information such as names, email addresses, phone numbers, partial Social Security numbers, masked bank account details, and even government-issued IDs. Login credentials and private keys were not accessed, Coinbase assured users.

“Cyber criminals bribed and recruited rogue overseas support agents to pull personal data on <1% of Coinbase MTUs. No passwords, private keys, or funds were exposed. Prime accounts are untouched. We will reimburse impacted customers,” Coinbase wrote on X.

We are disclosing a legal matter that may impact our financials. A third-party contractor pulled personal data on <1% of Coinbase MTUs. No passwords, private keys, or funds were exposed. Prime accounts are untouched. We will reimburse impacted customers. Here's what happened:Earlier this year, we became aware of a threat actor attempting to extort Coinbase and sell personal data of a small subset of our customers. The threat actor, who appears to be based in Eastern Europe, threatened to release the data unless we paid a ransom of $20 million in Bitcoin by May 10. They also claimed to have internal documents, such as presentations and meeting notes.

We learned that the threat actor had managed to bribe several third-party contractors and support staff outside of the United States to gain access to internal data. Those involved have been identified and terminated.

The threat actor appears to have pulled the personal data of <1% of Coinbase users. This information includes names, email addresses, phone numbers, partial Social Security numbers, masked bank account details, and government-issued ID types. However, login credentials and private keys were not accessed. In addition, the threat actor does not appear to have accessed any prime accounts or any other internal data.

We are deeply sorry that this incident occurred. We take the security and privacy of our customers’ data extremely seriously. We are working diligently to mitigate any potential impact on our customers and to take steps to prevent such incidents from happening in the future.

Coinbase is a leading cryptocurrency exchange that provides a platform for buying, selling, and trading digital currencies. The company is publicly traded on the Nasdaq Stock Exchange. It is also subject to regulation by the U.S. Securities and Exchange Commission (SEC) and other agencies.The company said it expects a financial impact ranging between $180 million and $400 million as a result of the attack. Its stock dropped by over 6.5 per cent following the news.

Separately, the US Securities and Exchange Commission (SEC) is looking into whether Coinbase previously provided inaccurate information about its user statistics. According to Reuters, the regulator is reviewing the company’s previously reported “verified user” numbers, which could raise concerns about its customer verification practices.

However, Coinbase has denied any ongoing probe related to know-your-customer (KYC) or Bank Secrecy Act compliance. Chief Legal Officer Paul Grewal reportedly said that the investigation is a “hold-over” from the previous administration.

“This is a hold-over investigation from the prior administration about a metric we stopped reporting two and a half years ago, which was fully disclosed to the public,” Grewal said. “While we strongly believe that this investigation should not continue, we remain committed to working with the SEC to bring this matter to a close.”

The SEC’s interest reportedly continues despite the agency dropping an earlier lawsuit that accused Coinbase of operating without proper registration.