Coinbase Faces Scrutiny After Data Breach Exposes 69,461 Users

Coinbase is under intense scrutiny and regulatory pressure following a significant data breach that exposed the personal information of nearly 70,000 users. According to a filing with the Maine Attorney General’s Office, the breach affected 69,461 individuals, with 217 of them being residents of Maine. The exchange stated that the compromise affected less than 1% of its monthly active users.

Last week, the company revealed that a group of overseas support agents, bribed by cybercriminals, had leaked internal data. This sensitive information, including names, contact details, social security numbers, and identity documents, was later used to impersonate CoinbaseCOIN-- staff in elaborate social engineering scams that were used to steal millions. Following the breach, the attackers allegedly attempted to extort $20 million in Bitcoin from the exchange. Although Coinbase refused to pay, the scale of the breach remained unclear until the recent state-level disclosure.

Coinbase CEO Brian Armstrong argued that the stolen data had not appeared on the dark web. He suggested that the attacker had little incentive to release it and pointed to a deeper issue of where regulatory pressures to collect large volumes of personal data. He argued that existing laws such as the Bank Secrecy Act (BSA) and anti-money laundering (AML) rules are outdated and potentially unconstitutional. Armstrong expressed hope that there would be a constitutional challenge to these laws or that Congress would review them, noting that the world has changed significantly since these laws were enacted in 1970 and that they arguably violate the Fourth Amendment, which protects against unreasonable searches and seizures.

Despite Armstrong’s claims, Coinbase faces increased public scrutiny and a reported federal investigation, following concerns about how it handled the situation. The criticism intensified after crypto critic Molly White highlighted a new clause in the platform’s user agreement. The update, which took effect on May 15, just one day after Coinbase went public with the breach, restricts class action lawsuits and mandates arbitration in New York. Armstrong defended the update, saying it was planned long before the breach and that the arbitration clause, including the class action waiver, was not new.

At the same time, a crypto security expert, Taylor Monahan, accused Coinbase of ignoring months of warnings about suspicious activity on the platform. She claimed that teams within the company dismissed credible alerts and failed to act until the breach became undeniable. Monahan stated that every investigator had been feeding evidence of these thefts and insiders for over six months, but the company's teams explicitly gaslit them, chastised them for not being polite enough, and called them toxic.