Coinbase, a cryptocurrency exchange with over 100 million customers, revealed that a recent data breach in which cybercriminals stole customer and corporate data affected 69,461 individuals.
In data breach notifications filed with the Office of Maine’s Attorney General, Coinbase said, “a small number of individuals, performing services for Coinbase at our overseas retail support locations, improperly accessed customer information.”
While the exposed data did not include the impacted people’s passwords, seed phrases, private keys, or other information that could be used to access their funds or accounts, it did include a combination of personal identifiers such as name, date of birth, last four digits of social security numbers, masked bank account numbers and some bank account identifiers, addresses, phone number, and email address.
Depending on the affected customer, the stolen information can also contain images of government identification information (e.g., driver’s license number, passport number, national identity card number) and account information (including transaction history, balance, transfers, account opening date).
“Attackers seek out this information because they want to conduct social engineering attacks, using this information to appear credible to try and convince victims to move their funds,” Coinbase warned.
The disclosure comes after many have voiced their concern that this incident could lead to serious consequences, including physical harm, after cybercriminals gain access to the account balances and addresses of impacted Coinbase customers affected by this data breach.
Losses could reach up to $400 million
On Thursday, Coinbase disclosed the data breach in a filing with the U.S. Securities and Exchange Commission that the threat actors behind this attack obtained customer data of up to 1% of Coinbase’s customer base with the help of support staff or contractors outside the United States.
The attackers also sent an email on May 11 attempting to extort a $20 million ransom payment in exchange for not releasing the stolen information online. However, the crypto exchange said it would not pay the ransom but would establish a $20 million reward fund for tips that could help find the attackers who coordinated this attack and bring them to justice.
While Coinbase is still assessing the breach’s financial impact and the number of customers who were tricked into sending funds to the attackers in follow-up social engineering attacks is still unknown, the company said the resulting expenses will likely be “within the range of approximately $180 million to $400 million” for remediation and customer refunds.
“Coinbase will voluntarily reimburse retail customers who mistakenly sent funds to the scammer as a direct result of this incident prior to the date of this post, following a review to confirm the facts,” the company said.
Coinbase advises customers to be cautious of scammers impersonating their employees, who may try to obtain funds or sensitive information like passwords or 2FA codes. If approached, hang up, as Coinbase will never ask for account details over the phone. To further boost security and defend against such attacks, activate withdrawal allow-listing and enable two-factor authentication.
