Coinbase’s $400 Million Breach: What Really Happened And How Did Customers Get Exposed?

Coinbase’s $400 million data breach is again in the spotlight after new information came to light about the company’s prior knowledge of the leak. The COIN stock is still up over 4% from yesterday’s trading session despite this new development. 

Coinbase Was Aware Of the Data Breach Since January

According to a Reuters report, crypto exchange Coinbase was aware of the $400 million customer data leak as early as January. The report revealed that at least one part of the breach occurred when an India-based employee of the exchange’s outsourcing firm, TaskUs, was caught taking photographs of her work system with her phone. 

Coinbase had revealed in a May 14 SEC filing that it had received an extortion email from the threat actors who were in possession of the leaked data. The exchange stated that the threat actor appeared to have obtained this information by paying multiple overseas contractors or employees to collect this information from internal Coinbase systems. 

Furthermore, in the filing, Coinbase only mentioned that they had independently detected this data breach in the “previous months,” without stating when exactly they first had knowledge of it. Meanwhile, it assured that the improper data access was part of a single campaign and that the incident did not involve the compromise of passwords or private keys. 

Coinbase stated that the affected data includes personal details, masked Social Security numbers, government ID images, account data, and limited corporate information. The crypto exchange had also fired the personnel involved in the data breach and warned affected customers about the breach. The exchange estimated the preliminary expenses in the breach to be between $180 million and $400 million for remediation costs and voluntary customer reimbursements. 

The Reuters report mentioned that over 200 TaskUs employees were later fired in a mass layoff that drew Indian media attention. Based on the SEC filing, Coinbase had totally cut ties with TaskUS as the exchange revealed that it was in the process of opening a new support hub in the US. The exchange claimed that it has also taken other measures to harden its defenses to prevent this type of incident. 

The Exchange’s Legal Battle Against Oregon

Amid this data breach, Coinbase is also battling a lawsuit against Oregon for the alleged sale of unregistered securities. In an X post, the exchange’s Vice President of Legal, Ryan VanGrack, commented on their decision to move for the case to be transferred to a federal court. He explained that the case is fundamentally about federal law, which is the reason for this move. 

VanGrack added that Oregon’s Attorney General would undermine recent bipartisan progress towards crypto clarity by creating a “patchwork” of state regulations that harm consumers, innovation, and economic freedom. Coinbase’s Chief Legal Officer (CLO), Paul Grewal, noted that Oregon’s claims raise fundamentally federal issues like the meaning of “investment contract,” and so they should be resolved by federal courts.

COIN trading at $258 on the 1D chart | Source: COIN on Tradingview.com

Featured image from Getty Images, chart from Tradingview.com