In May 2025, Coinbase disclosed a major data breach that exposed sensitive personal and financial information for nearly 70,000 customers. The breach was caused by insiders — bribed support contractors who systematically stole customer data over several months. If you're a Coinbase user, here's what was compromised and exactly what to do about it.
What Happened
On May 11, 2025, Coinbase received a ransom demand of $20 million from an unknown threat actor who claimed to have obtained information about Coinbase customer accounts and internal company documentation. Coinbase refused to pay the ransom.
The investigation revealed that the attackers had bribed multiple contractors and employees working in support roles outside the United States to steal customer data from internal Coinbase systems. An employee at a third-party support center in Indore, India, began stealing sensitive customer records as early as September 2024, allegedly photographing up to 200 customer records per day.
The breach occurred on December 26, 2024, but wasn't detected until the ransom email arrived on May 11, 2025 — nearly six months later.
This Was an Insider Attack, Not a Hack
Unlike most data breaches caused by external hackers exploiting software vulnerabilities, the Coinbase breach was an insider threat. Paid contractors with legitimate access to customer support systems abused their access to steal data. This makes the breach particularly concerning because it bypassed technical security measures entirely.
What Information Was Exposed
The compromised data includes:
- Customer names, addresses, and email addresses
- Last four digits of Social Security numbers
- Masked bank account numbers and bank account identifiers
- Government-issued ID images including driver's licenses and passports
- Account data including balance snapshots and transaction history
Importantly, no passwords, private keys, or seed phrases were exposed. Attackers cannot directly access or move your cryptocurrency based on this stolen data alone.
However, the combination of personal details, financial information, and government ID images creates a serious risk of identity theft, account takeover through social engineering, and targeted phishing attacks.
Immediate Steps to Take
1. Secure Your Coinbase Account
- Change your Coinbase password immediately to a strong, unique password you don't use anywhere else
- Enable hardware-based two-factor authentication using a security key (YubiKey or similar) rather than SMS-based 2FA, which is vulnerable to SIM swap attacks
- Enable withdrawal address whitelisting in your Coinbase security settings. This prevents withdrawals to new addresses without a 48-hour waiting period.
- Review authorized devices and remove any you don't recognize
- Review API keys and revoke any that aren't actively needed
2. Freeze Your Credit
Even though only the last four digits of SSNs were exposed, combined with other personal details (name, address, government ID images), criminals may have enough information for identity fraud. Freeze your credit at all three bureaus:
- Equifax: equifax.com/personal/credit-report-services/credit-freeze
- Experian: experian.com/freeze
- TransUnion: transunion.com/credit-freeze
3. Monitor Your Bank Accounts
With masked bank account numbers and identifiers exposed, watch your bank accounts closely for:
- Unauthorized ACH transfers or withdrawals
- Small "test" transactions that criminals use before larger thefts
- New accounts or services linked to your bank account
Consider contacting your bank to set up additional transaction verification or alerts for unusual activity.
4. Be Extremely Wary of Social Engineering
The stolen data gives criminals everything they need to convincingly impersonate Coinbase support or create highly targeted phishing attacks. Be on guard for:
- Fake Coinbase support calls referencing your real account details to build trust
- Phishing emails claiming your account is compromised and asking you to "verify" by clicking a link
- Text messages about suspicious withdrawals or account locks
- Impersonation on social media by people claiming to be Coinbase employees
Coinbase Will Never Ask for These Things
Coinbase will never ask you to share your password, 2FA codes, or private keys. They will never ask you to transfer cryptocurrency to a "safe" wallet address. They will never call you first about account issues — you must initiate contact. Any communication asking for these things is a scam, regardless of how legitimate it appears.
Additional Protective Measures
Protect Against SIM Swap Attacks
Cryptocurrency holders are prime targets for SIM swap attacks, where criminals convince your phone carrier to transfer your number to their device. With the personal information from this breach, these attacks become easier to execute.
- Contact your carrier (AT&T, Verizon, T-Mobile) and add a SIM swap PIN or port-out protection
- Switch from SMS-based 2FA to an authenticator app (Google Authenticator, Authy) or hardware security key
- Consider using a Google Voice number for financial accounts, as it's not tied to a physical SIM
Secure Your Email Account
Your email address linked to Coinbase is now a high-value target. Ensure it has:
- A strong, unique password
- Hardware-based or app-based two-factor authentication
- Recovery options that don't rely on your phone number alone
Report Suspicious Activity
If you notice unauthorized access or transactions:
- Contact Coinbase support immediately through the official app or website
- File a report with the FBI's Internet Crime Complaint Center (IC3) at ic3.gov
- Report identity theft at identitytheft.gov
Legal Rights and Compensation
Coinbase estimates its losses from the incident at $180-400 million and has committed to reimbursing customers who were tricked into sending funds to attackers as a result of social engineering attacks using the stolen data.
Multiple class action lawsuits have been filed on behalf of affected customers. A lawsuit filed by Milberg on behalf of approximately 70,000 affected users seeks compensation for the breach. Check classaction.org for updates on pending litigation.
Reduce Your Overall Data Exposure
Breach data becomes far more dangerous when criminals combine it with publicly available information from data broker sites. If a criminal has your name, email, and partial SSN from the Coinbase breach, and can find your full address, phone number, and family details on people-search sites, they can build a complete identity theft profile.
PrivacyOn reduces this risk by automatically removing your personal information from more than 100 data broker sites and monitoring the dark web for your compromised data.
- Automated removal from 100+ data brokers
- Dark web monitoring for your email, SSN, and financial data
- 24/7 monitoring with automatic re-submission of removals
- Family plans covering up to 5 people
- Plans starting at $8.33/month
Take Action Now
The Coinbase breach is especially dangerous because it combined financial data with government-issued identification documents. Don't wait for signs of fraud — secure your accounts, freeze your credit, and reduce your digital footprint now. The window of opportunity for criminals using this data extends for years, making ongoing vigilance essential.