Coinbase Faces Data Breach, SEC Probe Over User Count

Coinbase, the largest crypto exchange in the U.S., is facing a challenging week as it deals with both a data breach and an SEC investigation. The data breach, disclosed on Thursday, involved insider collusion where overseas support agents accepted bribes to leak sensitive user data. The compromised information included names, addresses, partial bank details, and ID documents, affecting less than 1% of customers. The company refused to pay the $20 million Bitcoin ransom and is now offering a $20 million bounty for information on those responsible.

The breach has sparked criticism about the centralized and opaque systems still prevalent in the crypto industry. Phil Mataras, founder of Arweave-based permanent cloud network AR.IO, highlighted the vulnerabilities of such systems, stating that concentrating access and trust in one organization can lead to significant compromises. He emphasized the need for systems that minimize dependency on trust-based mechanisms and ensure transparency and data integrity.

Adding to Coinbase's troubles, the SEC is investigating whether the company misled investors by overstating its user count in past filings. The probe centers around Coinbase's claim in its 2021 IPO materials that it had over 100 million "verified users," a figure the company continued to promote through 2022. Coinbase has since retired this metric, acknowledging that it was not a reliable indicator of performance. The company noted that some users may have created multiple accounts and that the stat included anyone who verified an email or phone number.

Chief Legal Officer Paul Grewal described the probe as a “holdover” from the prior administration, expressing the company's commitment to working with the SEC to resolve the matter. The renewed scrutiny comes shortly after the SEC dropped a lawsuit accusing Coinbase of illegal token sales, signaling a more crypto-friendly regulatory environment. Coinbase has previously criticized the SEC's approach to digital assets as inconsistent and overly aggressive.

Despite these challenges, experts believe that the probe may not significantly impact Coinbase’s long-term trajectory. Nick Cote, co-founder and CEO of Secondlane, compared the situation to similar cases faced by other firms, such as Facebook’s $100 million SEC fine in 2019 and Twitter’s $800 million class settlement in 2024. Legal expert Jack Graves, a professor of law at Syracuse University, suggested that Coinbase’s inclusion in the S&P 500 index indicates that the SEC probe does not pose serious threats. However, he noted that the data breach is more significant, especially considering the industry's history.

Other crypto insiders were more dismissive of the SEC investigation. Peter Chung of Presto Labs called the report a “hit piece,” arguing that the best practices for reliable metrics in the crypto industry are not yet firmly established. He noted that Coinbase voluntarily changed the reported metric after realizing it was misleading, which does not indicate bad faith. Coinbase maintains that the metric in question was fully disclosed and appropriately contextualized in its filings, and that it shifted focus to more meaningful indicators like monthly transacting users beginning in 2023. The company continues to cooperate with regulators, characterizing the probe as a legacy matter from the prior SEC administration.