Coinbase says 69,461 customers were affected by a data breach caused by insider wrongdoing. The data thieves have been abusing access to the company’s systems since December 26th last year.
The new details were disclosed in the filing with the Office of the Maine Attorney General. The breach affected approximately 217 individuals in Maine and 69,461 customers in total. However, the estimates may not be final.
Coinbase operates the largest US-based cryptocurrency exchange with over 100 million users.
The company stated last week that attackers copied data “for less than 1% of Coinbase monthly transacting users” and estimated that recovery and reimbursements might cost up to $400 million.
The company has also previously said that insider wrongdoing was “independently detected by the company’s security monitoring in the previous months.”
In a new filing, Coinbase stated the data breach occurred on December 26th, 2024, and was discovered on May 11th, 2025.
In a letter to affected individuals, the company explains that a small number of individuals performing services for Coinbase accessed customer information and may have shared it with a third party.
“Individuals involved were fired on the spot; we’ve referred the case to US and international agencies and are pressing for criminal charges,” Coinbase said.
Cybercriminals demanded a $20 million ransom. Instead, the company allocated the same amount to reward information leading to the attackers’ arrest and conviction.
“Individuals involved were fired on the spot; we’ve referred the case to US and international agencies and are pressing for criminal charges,”
Coinbase said.
This breach doesn’t involve passwords, seed phrases, private keys, or any other
information that would allow attackers to directly access accounts and steal money.
However, cybercriminals obtained a lot of personal data:
- Personal identifiers (name, date of birth, masked social security numbers (last four digits), masked bank account numbers, and some bank account identifiers, address, phone number, email address)
- Images of Government identification information (driver’s license number, passport number, national identity card number)
- Account information (transaction history, balance, transfers, date you opened your account)
Coinbase warns that attackers will abuse the stolen data to appear credible in social engineering attacks, trying to convince victims to move their funds.
The company reiterates its obligation to “reimburse eligible retail customers who were socially engineered into sending funds to the threat actor as a direct result of this incident after we complete our review to confirm the facts.” Affected users are also offered a free one-year credit monitoring and identity protection service.
Coinbase urges users to be hyper-vigilant and reminds them that it will never call to ask for credentials, API keys, seed phrases, or two-factor authentication codes. It also never asks to transfer or move assets or funds to a specific destination or contact an unknown number.
Your email address will not be published. Required fields are markedmarked