I have been receiving regular spear phishing calls from these guys, or someone who bought the leaked data, with classic tactics like claiming that I need to confirm a potentially fraudulent transaction. They speak perfect English with an American accent, sound very friendly, and have knowledge of your account balance. Thankfully on the first call I realized it was a scam right away, and Google's call screening feature takes good care of the rest. Wish I could forward them to Kitboga[1].
I guess they didn't have as much luck as they wanted scamming Coinbase's customers, and once they had their fun they decided to try extorting Coinbase themselves.
If you had any significant assets on Coinbase at any time prior to this breach, spear phishing is the least of your worries.
Coinbase not only leaked your full name and address, they also gave up your balances, your transaction history, and images of your government identification.
People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom.
"Significant" in this case can be $10k or less.
Until now, your best defense secrecy. Never talk about crypto in public in any way that could be traced to your real-world identity.
Thanks to Coinbase that defense is now gone.
The bad guys can see who has ever had a significant balance on Coinbase (even if they don't right now), whether that balance was sold for cash and how much, or if you've ever transferred tokens off the exchange to a self-custody wallet.
Now the bad guys know who's worth kidnapping for ransom and where you live. For most people, a Google search of your name and home address turns up the names of family members who would would also be lucrative targets for kidnapping and threats of violence.
Coinbase will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company.
But hey, at least by being forced to give crypto exchanges all our personal details we're all super protected from the four horsemen: money laundering, drugs, terrorism and pornography.
> People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom. "Significant" in this case can be $10k or less.
I wonder why, select a person completely at random and by median you'll get just as much from what they have sitting in their checking account. Select a nicer area for an order of magnitude more. That's not encouragement to go assault people in their homes or kidnap families... just confusion.
Companies should seriously consider implementing GDPR even in the US, it certainly made taking data dumps of customer data a lot harder and certainly private images like Government IDs were encrypted on disk. I’m surprised at the lack of security if I’m honest, at Yahoo! almost nobody had access to prod user data.
Essentially you cannot trust Coinbase IMO, might move the few hundred dollars of BTC out of there :-)
Why do you see this as the fault of Coinbase? Do other companies somehow have employees that are immune to bribes and blackmail?
This is due to US Government KYC laws that forced Coinbase to associate government identification with all accounts. No crypto company required ID until they were forced to.
It’s my biggest gripe. They can pretty accurately flag a number as Spam or Telemarketing but in the “Silence Unknown Callers” setting I can only silence every single unknown caller. I can’t silence every single number that’s not in my contacts. When the plumber calls to confirm he’s in route, my phone needs to ring. Stuff like that.
Yeup, I finally broke down went from Android -> IPhone 16 Pro. I like a lot about Apple's personal security policies for their consumers vs Google, but damn, I miss google's automatic call spam detection and management. All day long my Apple phone rings, and I just have to ignore the calls.
Verizon (and I assume many other US carriers) offer junk call identification which your iPhone can block if you have ”Silence Junk Callers” toggled in Settings > Phone > Call Blocking & Identification.
Unfortunately blocking all unknown calls is the only way to sanity. Otherwise we're talking 6-9 calls coming in ALL DAY, EVERY DAY.
The calls are coming from new numbers, across multiple area codes. A few months ago I would have advised using Begone (https://apps.apple.com/us/app/begone-spam-call-blocker/id159...) to block but that only worked since these calls were isolated to blocks of area codes that were pretty safe to block like 888-XXX-XXXX, but now ZERO of these calls are using a fixed area code that would be relative safe to block.
iPhone user here. I put on airplane mode unless I'm making or expecting a call. Otherwise, I make it clear that email is my primary form of communication.
Oh yeah I get the Microsoft account emails, and Instagram ones, randomly (I have an account but never use it). I'm pretty sure SMS 2FA is turned off on my Coinbase account, which is highly recommended.
> I have been receiving regular spear phishing calls from these guys, or someone who bought the leaked data, with classic tactics like claiming that I need to confirm a potentially fraudulent transaction.
And how long has this been at an increased level? Because i'm not buying the coinbase narrative that they thought this was a systemic issue until they were contacted by the 'cybercriminals'.
It started around the beginning of April, at the same time as I got an initial email from them about my account information being accessed. Which I'm thinking is probably the same breach as they're talking about here.
Scams have gotten better since AI. Most of the common spelling mistakes are gone.
I was looking through some phishing e-mails the other day out of curiosity and found a weird unicode character mistranslated. Immediately knew it was an artifact of bad translation. So they're not perfect, but they're damn good.
Where was the number from? I received an impressive number of phonecalls attempt but thankfully I never answer to unknown numbers. With google call screen they hung up everytime so I assume its a scam.
The problem is that it seems like the data that leaked is also the data that would be used to do account recovery.
And what that means is that
1) If you lose access to your account (through either your own fault, or coinbases fault) that the process of recovering it may not be so straightforward anymore.
2) Hackers can try to “recover” accounts now using this leaked info.
This is a huge problem. What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)
The only solution here is: hardware 2 factor like yubikeys.
One that I'm using does, but I find it extremely annoying when they have me go to a branch to unblock my account that they locked due to a poorly calibrated risk system (that they need due to not supporting actually secure 2FA methods).
Coinbase is identical to a bank because it holds customer funds. Your comment isn't quite the dunk you think it is. Blockchains allow money to be held anonymously without any banks involved. Centralized exchanges are just profiting on speculation and probably should be banned.
> What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)
Watching crypto enthusiasts run into every problem that society already tackled with in the past when developing currency and its controls, and then coming up with solutions that look exactly the same as what dirty fiat currency uses, has been a source of much entertainment the past few years
If you ever sent money to or from a wallet you control, I'd think a reliable recovery factor would be to use that key to sign a message that Coinbase can verify with the address in their records. Cryptocurrency after all is just another PKI.
And dumb-dumb me just realized how trivial that would be to break. Social engineer someone into sending/receiving money to/from your wallet then pretend to be them requesting an account recovery.
Coinbase would have to make you sign a challenge ahead of time that would mark the wallet as the authorized public key for your account.
> What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted
People getting locked out of their account (which can happen due to no fault of the user, e.g. by an overly nervous risk system) will be really happy to have to potentially travel to a different city to regain account access...
Fine, make it optional. I actually would love a version of cold storage that is: never release this money unless I personally travel to an office if NYC and authorize it.
> What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted
I tried to reach out to coinbase customer support to see if I was impacted. Once I wasted my time with the AI bot and got a human they were unaware of the breach. I was the first person to inform them about it.
Not sure what to say about that, I had an account with them, but I couldn't verify it, had email, phone and could be some sort of ID scanned - don't remember. Haven't used the account ever since and had nothing there, since January I have been getting regularly calls about my account being "compromised". This leak probably happened way earlier, because there was no way someone knew I had an account there and knew exactly the email I had with them.
I don't believe they did, and I also believe they have known about this issue for a long time, and they should have been required to disclose their mandatory 8k a lot earlier.
And the reason Coinbase has to keep all that sensitive stuff, much more than what would be required to identify and authenticate you, which you hope will never be stolen, is because of know your customer laws, so you can thank your government that pictures of your passport got stolen and for whatever criminals and rogue Coinbase employees do with that info.
There are very good reasons for KYC, the problem here is not the government regulation, it's once again private companies being sloppy with their customer's data because sloppy is cheap and it's not their info on the line, it's yours, so there's little motivation for them to safeguard it _unless_ they're compelled to do it by law.
The people who designed a government regulation to deputize private companies couldn't possibly have known how sloppy private companies are with other people's data?
They could have designed KYC to minimize long-term storage requirements etc at some cost to what they could enforce, but a government like the US is inherently sloppy with the rights that are reserved for parties besides itself.
> And the reason Coinbase has to keep all that sensitive stuff, much more than what would be required to identify and authenticate you, which you hope will never be stolen, is because of know your customer laws
Real cop out here, be honest. Why should every single agent have access to your identity documentation (which is only required for KYC) in perpetuity?
Coinbase seems to be going to great lengths to try and distance themselves from the so-called "rogue overseas support agents".
If they were Coinbase employees or contractors, that means the company basically sold its own data to hackers, who then turned around and demanded a ransom.
Reimbursing duped customers makes sense, as it seems like they would have a pretty straightforward case to make in court that Coinbase's actions led to their loss.
I'm more curious if someone who feels the need to move, change banks, change their email, hire a security detail etc. could successfully sue the company to recover some or all of those costs.
>If they were Coinbase employees or contractors, that means the company basically sold its own data to hackers, who then turned around and demanded a ransom.
This seems like a strange interpretation. If an employee at your company, against policy and likely illegally extracts proprietary data and gives it to hackers in exchange for money you can hardly say that "My company sold it's data".
I agree it wasn't authorized, but I should absolutely still be able to hold the company responsible for the damage. My business relationship is with you, not your employees or vendors.
They in turn could go after the perpetrator. If they're using contractors who are cheap, unvetted, untrustworthy or don't carry liability insurance that's their problem and shouldn't excuse them of accountability.
In a way you can. A company is its employees. If you want employees with integrity you might need to pay better than bottom dollar employees from the cheapest countries possible.
I once applied for a bank position, and they wanted to run a credit check. If you're in a position of handling money, the company has a responsibility to vet its employees. Do I agree with credit checks? Absolutely not, but the point is, Coinbase is partially responsible and that's why they're refunding duped customers.
How far that responsibility goes is up for debate.
> This seems like a strange interpretation. If an employee at your company, against policy and likely illegally extracts proprietary data and gives it to hackers in exchange for money you can hardly say that "My company sold it's data".
When an employee ships a new feature, do you say "My company shipped a new feature?"
> We will reimburse customers who were tricked into sending funds to the attacker due to social engineering attacks. If your data was accessed, you have already received an email from no-reply@info.coinbase.com; all notifications went out at 7:20 a.m. ET on 5/15 to affected customers.
The no-reply is an interesting decision. I get how difficult it is to run a company like Coinbase (their biggest strength, centralized + customer support, is also what enables this social engineering), but feels like an odd choice.
no-reply is a good practice. No business should ever encourage their customers to reply to the emails they are sending out. That's what scammers do.
To contact the company you should go to company website at the address you know (which shouldn't be given in email as well), log in and send a message through internal message system, possibly referring to the email that you recieved through a random code (those can be auto-suggested if they recently tried to contact you by email).
If you do anything else your communication knwowingly mimics communication of a scammer.
Unrequested email should always only be one way communication. Email is too untrustworthy for it to be anything more.
Their "customer support" includes not expecting users to set up PGP to communicate with them. Email is not a secure method of communication by default.
It's fine to send a notification instructing them to visit the secure portal for more info, though. Hence, no-reply.
> No passwords, private keys, or funds were exposed and Coinbase Prime accounts are untouched.
I'm curious why no Coinbase Prime accounts were part of the leak (assuming that's what they mean). Is there some sort of additional layer of data protection behind the Coinbase Prime paywall? Or perhaps those accounts were intentionally avoided as they would presumably belong to more savvy users.
Coinbase Prime is its own exchange with its own support (actual humans in the USA that are available to chat to). It's for "institutional investors" so unavailable to most customers without the proper credentials/paperwork. They don't share the same outsourced "support" as the regular exchange, which appears to be the attack vector here.
> The threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States to collect information from internal Coinbase systems to which they had access in order to perform their job responsibilities
Based on the information present in the breach, I think it's likely that the source was their customer support in the Philippines. Monthly salary is usually < 1000$/month (entry-level probably even less than 500$) and a 5000$ bribe could be more than a year worth of money, tax-free. Considering the money you can make with that dataset now, this is just a small investment.
>
•Name, address, phone, and email;
•Masked Social Security (last 4 digits only);
•Masked bank-account numbers and some bank account identifiers;
•Government‑ID images (e.g., driver’s license, passport);
•Account data (balance snapshots and transaction history); and
•Limited corporate data (including documents, training material, and communications available to support agents).
This is every threat actor's dream. Even if you only had email addresses and account balances, this is a nightmare. Instead of blackmailing the company, you can now blackmail each individual user. "Send me 50% of your BTC and I won't publish all of your information on the internet".
My guess is that we will have a similar situation like we had with the Vastaamo data breach...
Blackmail would be the least of my worries, in France we had at least five kidnappings/attempted kidnappings related to crypto investors since the beginning of the year.
This may seem callous, but isn't a large point of crypto that you are 'free' from the shackles imposed by the State?
And I guess that includes protection from criminals by the oppressive forces of the State (aka the police). In which case being kidnapped and having your fingers sent to your family is an integral part of your 'freedom'.
It way worse. The US companies, pay $3-$6 per hour to outsource their support to the Philippines. The companies which provide the service have very high turnover rate. For some companies the employees stay on average about 6 months. There is absolutely no reason to be loyal.
We are getting zero government regulations on AI, no punishment data breaches, and no human protections against wide scale abuse. The opposite is happening.
I suspect to see America in chaos from these disruptions in the very near future.
Beyond the Philippines low wage, the point is that there is a price for "everybody" if it were in the US it will be a much higher price, and most probably paying for higher attack benefits.
Readit News
https://www.sec.gov/ix?doc=/Archives/edgar/data/0001679788/0...
I guess they didn't have as much luck as they wanted scamming Coinbase's customers, and once they had their fun they decided to try extorting Coinbase themselves.
[1] https://www.youtube.com/watch?v=HNziOoXDBeg
Coinbase not only leaked your full name and address, they also gave up your balances, your transaction history, and images of your government identification.
People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom.
"Significant" in this case can be $10k or less.
Until now, your best defense secrecy. Never talk about crypto in public in any way that could be traced to your real-world identity.
Thanks to Coinbase that defense is now gone.
The bad guys can see who has ever had a significant balance on Coinbase (even if they don't right now), whether that balance was sold for cash and how much, or if you've ever transferred tokens off the exchange to a self-custody wallet.
Now the bad guys know who's worth kidnapping for ransom and where you live. For most people, a Google search of your name and home address turns up the names of family members who would would also be lucrative targets for kidnapping and threats of violence.
Coinbase will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company.
https://www.yahoo.com/news/florida-teens-kidnap-las-vegas-20...
This story keeps repeating. Maybe we should try it and see if it works as a deterrent.
Wealth status is often very well known for public figures and entrepreneurs. People are driving around in $200k cars.
Is it due to the liquidity of cryptocurrencies that $5 wrench attacks work better?
I wonder why, select a person completely at random and by median you'll get just as much from what they have sitting in their checking account. Select a nicer area for an order of magnitude more. That's not encouragement to go assault people in their homes or kidnap families... just confusion.
Essentially you cannot trust Coinbase IMO, might move the few hundred dollars of BTC out of there :-)
Someone, someone at that company should be going to prison for negligence
Dead Comment
This is due to US Government KYC laws that forced Coinbase to associate government identification with all accounts. No crypto company required ID until they were forced to.
https://support.apple.com/guide/iphone/block-or-avoid-unwant...
The calls are coming from new numbers, across multiple area codes. A few months ago I would have advised using Begone (https://apps.apple.com/us/app/begone-spam-call-blocker/id159...) to block but that only worked since these calls were isolated to blocks of area codes that were pretty safe to block like 888-XXX-XXXX, but now ZERO of these calls are using a fixed area code that would be relative safe to block.
Same with my Microsoft account actually
I usually just ignore it but I assume someone is testing if my email can be used to login.
And how long has this been at an increased level? Because i'm not buying the coinbase narrative that they thought this was a systemic issue until they were contacted by the 'cybercriminals'.
I was looking through some phishing e-mails the other day out of curiosity and found a weird unicode character mistranslated. Immediately knew it was an artifact of bad translation. So they're not perfect, but they're damn good.
.. and are former employees of Coinbase .. oh! just imagining!!
And what that means is that
1) If you lose access to your account (through either your own fault, or coinbases fault) that the process of recovering it may not be so straightforward anymore.
2) Hackers can try to “recover” accounts now using this leaked info.
This is a huge problem. What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)
The only solution here is: hardware 2 factor like yubikeys.
What you've described is the same thing that many Crypto enthusiasts call a "Bank"
One that I'm using does, but I find it extremely annoying when they have me go to a branch to unblock my account that they locked due to a poorly calibrated risk system (that they need due to not supporting actually secure 2FA methods).
That's just a bank.
And when that’s lost, what do you do? Aren’t you back to account recovery step?
Coinbase would have to make you sign a challenge ahead of time that would mark the wallet as the authorized public key for your account.
People getting locked out of their account (which can happen due to no fault of the user, e.g. by an overly nervous risk system) will be really happy to have to potentially travel to a different city to regain account access...
Fine, make it optional. I actually would love a version of cold storage that is: never release this money unless I personally travel to an office if NYC and authorize it.
Deleted Comment
Is this satire?
They could have designed KYC to minimize long-term storage requirements etc at some cost to what they could enforce, but a government like the US is inherently sloppy with the rights that are reserved for parties besides itself.
For a site such as this the odds aren't in their favor anymore.
Real cop out here, be honest. Why should every single agent have access to your identity documentation (which is only required for KYC) in perpetuity?
Dead Comment
If they were Coinbase employees or contractors, that means the company basically sold its own data to hackers, who then turned around and demanded a ransom.
Reimbursing duped customers makes sense, as it seems like they would have a pretty straightforward case to make in court that Coinbase's actions led to their loss.
I'm more curious if someone who feels the need to move, change banks, change their email, hire a security detail etc. could successfully sue the company to recover some or all of those costs.
This seems like a strange interpretation. If an employee at your company, against policy and likely illegally extracts proprietary data and gives it to hackers in exchange for money you can hardly say that "My company sold it's data".
They in turn could go after the perpetrator. If they're using contractors who are cheap, unvetted, untrustworthy or don't carry liability insurance that's their problem and shouldn't excuse them of accountability.
I once applied for a bank position, and they wanted to run a credit check. If you're in a position of handling money, the company has a responsibility to vet its employees. Do I agree with credit checks? Absolutely not, but the point is, Coinbase is partially responsible and that's why they're refunding duped customers.
How far that responsibility goes is up for debate.
When an employee ships a new feature, do you say "My company shipped a new feature?"
https://www.coinbase.com/blog/protecting-our-customers-stand...
> We will reimburse customers who were tricked into sending funds to the attacker due to social engineering attacks. If your data was accessed, you have already received an email from no-reply@info.coinbase.com; all notifications went out at 7:20 a.m. ET on 5/15 to affected customers.
To contact the company you should go to company website at the address you know (which shouldn't be given in email as well), log in and send a message through internal message system, possibly referring to the email that you recieved through a random code (those can be auto-suggested if they recently tried to contact you by email).
If you do anything else your communication knwowingly mimics communication of a scammer.
Unrequested email should always only be one way communication. Email is too untrustworthy for it to be anything more.
It's fine to send a notification instructing them to visit the secure portal for more info, though. Hence, no-reply.
Deleted Comment
I'm curious why no Coinbase Prime accounts were part of the leak (assuming that's what they mean). Is there some sort of additional layer of data protection behind the Coinbase Prime paywall? Or perhaps those accounts were intentionally avoided as they would presumably belong to more savvy users.
Based on the information present in the breach, I think it's likely that the source was their customer support in the Philippines. Monthly salary is usually < 1000$/month (entry-level probably even less than 500$) and a 5000$ bribe could be more than a year worth of money, tax-free. Considering the money you can make with that dataset now, this is just a small investment.
> •Name, address, phone, and email; •Masked Social Security (last 4 digits only); •Masked bank-account numbers and some bank account identifiers; •Government‑ID images (e.g., driver’s license, passport); •Account data (balance snapshots and transaction history); and •Limited corporate data (including documents, training material, and communications available to support agents).
This is every threat actor's dream. Even if you only had email addresses and account balances, this is a nightmare. Instead of blackmailing the company, you can now blackmail each individual user. "Send me 50% of your BTC and I won't publish all of your information on the internet". My guess is that we will have a similar situation like we had with the Vastaamo data breach...
https://en.wikipedia.org/wiki/Vastaamo_data_breach
> blackmail each individual user
Blackmail would be the least of my worries, in France we had at least five kidnappings/attempted kidnappings related to crypto investors since the beginning of the year.
And I guess that includes protection from criminals by the oppressive forces of the State (aka the police). In which case being kidnapped and having your fingers sent to your family is an integral part of your 'freedom'.
I suspect to see America in chaos from these disruptions in the very near future.