Coinbase data breach: personal info of 1% of monthly users leaked via bribed overseas support agents

Summary

Coinbase disclosed that cyber criminals bribed overseas support agents to exfiltrate personal data on approximately 1% of its monthly transacting users. The exposed information included name, address, phone, email, masked social security numbers (last four digits only), masked bank account details, government IDs, and account balances. No passwords, private keys, or funds were exposed.

The breach created a secondary risk. Criminals now possess identifying information and photos of crypto holders, enabling potential physical theft or intimidation attacks. With government IDs and location data in hand, attackers could target individuals holding significant crypto assets and demand transfers at gunpoint.

Coinbase committed to reimbursing users affected by social engineering attacks that followed the data leak. Rather than paying a ransom, CEO Brian Armstrong announced a $20 million bounty for information leading to the attackers' arrest.

Armstrong's approach relies on game theory. A criminal conspiracy typically involves multiple people. By offering $20 million for arrests instead of capitulating to ransom demands, Coinbase creates an incentive for lower-level operatives to turn on leadership. One subordinate reasoning that their criminal group won't receive the ransom payout might instead flip and collect the bounty themselves, a cleaner path than waiting for uncertain profit-sharing among conspirators.

Armstrong's response came as a direct video address that was unpolished but clearly thought through. The approach avoided appearing callous or dismissive and contrasted with both overproduced corporate statements and indifference.