Coinbase Data Breach Affects 69,461 Users, Faces $180M-$400M Cost

Coinbase, a prominent crypto exchange, recently disclosed that a data breach occurred in December, affecting 69,461 users. The breach was discovered in May, and the company has since taken steps to address the issue. The incident involved cybercriminals bribing overseas customer support agents to access sensitive information, including names, addresses, phone numbers, emails, and government-ID images.

The company filed a notice with the Maine Attorney General’s Office, revealing that around 217 residents of the state were impacted by the breach. Coinbase had previously stated in an SEC filing that less than 1% of its monthly transacting users were affected, which could have amounted to as many as 97,000 users. The new notice provides a more precise understanding of the number of impacted customers.

Coinbase first observed abnormal behavior among some of its customer service representatives in January. The exchange is now facing a probe by the U.S. Justice Department. The company did not immediately respond to a request for comment. Coinbase CEO Brian Armstrong addressed the situation through a video posted to X, formerly Twitter, which has generated significant views. Regulatory filings, including those with the Securities and Exchange Commission, have been the primary source of information as the incident’s scope has developed.

Amanda Fischer, a former SEC employee and policy director at a non-profit organization, highlighted the importance of regulation in this context. She noted that the fact Coinbase is a public company overseen by the SEC is the primary reason there is any data about this incident. The incident could cost Coinbase between $180 million and $400 million, according to an SEC filing submitted days after an “unknown threat actor” contacted the exchange, demanding $20 million in exchange for not releasing the information.

Some individuals, including Michael Arrington, co-founder of TechCrunch, have expressed concerns about the potential human costs of the breach. Arrington stated that the hack, which includes home addresses and account balances, could lead to people dying. Fischer noted that a company has different obligations when it comes to disclosing a data breach to shareholders versus customers, with protections for the latter group varying by state.

Under SEC rules, a firm is required to disclose a data breach to shareholders within four days of a lawyer determining that it could be relevant to a reasonable shareholder’s decision to buy, hold, or sell a company’s shares. With class action lawsuits cropping up against the exchange, Fischer added that it will be litigated whether or not the materiality determination should have been made in January.

In April, Coinbase modified its user agreement, adding two limiting clauses that restricted users’ ability to bring class action lawsuits against the firm or pursue legal action outside federal courts in New York. After the changes were flagged on X by Molly White, a longtime Wikipedia editor and crypto researcher, Armstrong said the connection amounted to a “conspiracy theory.” Taylor Monahan, an on-chain sleuth and noted security expert, pushed back against Armstrong’s assertion, claiming that investigators had flagged malicious insiders at Coinbase for over six months.