Inside the Coinbase hack: Everything we know so far

Cryptocurrency exchange Coinbase has disclosed a sophisticated insider threat and extortion attempt that compromised personal data for less than 1% of its monthly transacting users. Rather than paying the 20 million ransom demanded by attackers, Coinbase launched a 20 million bounty to help bring the criminals to justice while reimbursing affected customers.

Backstory

The breach occurred after criminals bribed a small group of overseas customer support agents to extract sensitive user data from Coinbase’s support systems. The attackers then used this information to impersonate Coinbase in phishing attempts, tricking victims into sending them cryptocurrency.

After gathering the stolen data, the hackers attempted to extort Coinbase for $20 million to keep the breach quiet. The company refused, instead opting to investigate, bolster security, and publicly disclose the incident.

What Data Was Exposed?

The attackers obtained:

Personal details (name, address, phone, email)

• Partial financial data (last four digits of SSNs, masked bank account numbers)

• Government ID images (driver’s licenses, passports)

• Account snapshots (balance and transaction history)

• Limited corporate data (support documents, training materials)

However, no login credentials, private keys, 2FA codes, or access to wallets or customer funds were compromised.

Coinbase's response

Faced with a $20 million extortion demand to cover up the breach, Coinbase refused to pay. Instead, they have taken a multi-pronged approach to address the incident and protect their users:

• Reimbursing affected customers: Coinbase has pledged to reimburse customers who were successfully tricked into sending funds to the attackers due to these social engineering tactics. Affected users were notified via email on May 15th.

• Enhanced customer safeguards: Coinbase has implemented additional security measures, including flagged accounts requiring extra ID checks for large withdrawals and mandatory scam awareness prompts. Users may experience slight delays during high-risk transactions as a result of increased monitoring.

• Securing support operations: Coinbase is establishing a new customer support hub in the US and implementing stronger security controls and monitoring across all its support locations globally.

• Hardening Defenses: Investments have been increased in insider threat detection, automated response systems, and the simulation of similar security threats to identify vulnerabilities in internal systems.

• Transparency: Coinbase has been proactive in informing affected users and has committed to providing ongoing updates as the investigation progresses.

Coinbase is also actively pursuing the perpetrators. The crypto exchange company is offering a $20 million bounty for information leading to the arrest and conviction of the attackers. Users with tips are encouraged to email security@coinbase.com with "[BOUNTY]" in the subject line.

The company is also collaborating with industry partners to tag the attackers' cryptocurrency addresses, enabling authorities to track and potentially recover the stolen assets.

The involved insiders were immediately terminated and referred to both US and international law enforcement agencies. Coinbase intends to press criminal charges.

Mitigation efforts

Coinbase is urging its users to remain vigilant against potential follow-up scams. They reiterated that Coinbase will never ask for passwords, 2FA codes, or request users to transfer assets to a specific or new address, account, vault, or wallet. They will also never call or text users asking for new seed phrases or wallet addresses to move funds to. Users receiving such communications are advised to hang up immediately and avoid contacting unknown numbers claiming to be Coinbase support.

Coinbase concludes its blog post with a set of best practices for users to enhance their security:

• Turn on withdrawal allow-listing: Restrict transfers to only trusted, user-controlled wallets.

• Enable strong 2FA: Hardware keys are recommended for the highest level of security.

• Hang up on imposters: Be wary of unsolicited communications requesting sensitive information or fund transfers.

• Lock first, ask later: If anything seems suspicious, immediately lock your account in the app and contact security@coinbase.com