Coinbase has confirmed a recent insider breach involving a contractor who accessed sensitive data belonging to approximately 30 customers without authorization. A spokesperson for the company stated that the incident was promptly detected by their security team, leading to the immediate termination of the contractor involved. Coinbase has notified the affected customers and is providing them with complimentary identity theft protection services. Additionally, the incident has been reported to regulatory authorities.
Though specific details about the breach remain limited, there are concerns about its connection to activities by ransomware operators known as Scattered Lapsus Hunters (SLH). These hackers shared screenshots on their Telegram channel, allegedly displaying the internal support interface of Coinbase. The images featured sensitive information, including customer names, email addresses, dates of birth, phone numbers, and transaction details related to cryptocurrency wallets. However, the authenticity of these screenshots has been questioned, as they could have been generated by another hacker or group entirely.
Experts believe it is likely that the contractor was bribed into sharing customer data, reflecting a similar case from 2025, when cybercriminals managed to exploit overseas support agents to gather customer information. That earlier incident resulted in significant financial losses for Coinbase, amounting to $400 million. The attackers initially demanded a ransom of $20 million in exchange for the stolen data, but Coinbase refused to comply and instead offered a bounty for information leading to the perpetrators’ arrest.
In a separate statement regarding the earlier breach, Coinbase emphasized that no customer passwords, private keys, or funds were compromised during either incident. They have committed to reimbursing any customers who may have been deceived into sending funds to the attackers. As the investigation continues, Coinbase’s focus remains on strengthening its security measures to prevent similar breaches in the future.
