Coinbase has forecast a financial impact of between $180 million and $400 million due to a cyberattack that compromised the account data of a “small subset” of its customers, according to a regulatory filing made Thursday, reports Reuters.
The company revealed that it received an email from an unknown threat actor on May 11, who claimed to possess sensitive data regarding certain user accounts and internal documents. While some personal information, such as names, addresses, and email addresses, was stolen, the hackers did not gain access to users’ login credentials or passwords. Coinbase also stated it would reimburse customers who were tricked into sending funds to the attackers.
The hack involved the payment of multiple contractors and employees working in support roles outside the U.S. to gather information. Coinbase confirmed that it has fired those involved.
In a separate issue, the U.S. Securities and Exchange Commission (SEC) is reportedly investigating whether Coinbase misrepresented its user numbers. Sources familiar with the matter told Reuters that the SEC is also scrutinizing whether the potential inaccuracy in user data suggests the company may have failed to comply with know-your-customer (KYC) regulations, a key requirement for firms registered with the SEC. However, a Coinbase spokesperson denied any probe into the company’s compliance with KYC or Bank Secrecy Act rules.
These developments come just days before Coinbase is expected to join the S&P 500 index, a move that was initially seen as a major milestone for the cryptocurrency industry. However, this security breach has cast a shadow over the company’s achievement.
Coinbase, which has refused to meet the $20 million ransom demand from the attackers, is cooperating with law enforcement. The company has also launched a $20 million reward for information leading to the identification of the hackers. Additionally, Coinbase is taking steps to strengthen its security, including opening a new support hub in the U.S.
“KYC puts people at risk”
Internet swiftly reacted to this recent development. A user noted, “KYC doesn’t just put your data at risk; it puts people at risk. Hackers recently demanded $20 million in Bitcoin from Coinbase, threatening to leak sensitive customer data. While no passwords or private keys were accessed, the attackers obtained full names, addresses, contact details, partial Social Security and bank account numbers, and identity documents. This is the kind of data that can be weaponised for identity theft, fraud, or worse.” They create massive, centralised honeypots of personal data that can and do get breached, sold, or exploited.” Another claimed, “is this why i keep getting emails from them saying someone from Singapore is trying to log into my account.” A user joked, “Coinbase ready to play chess with these folk.” “Coinbase didn’t get hacked. Coinbase employees sold customer data on the black market. Coinbase failed to protect customer data,” noted a user. “Coinbase be like “yes we got hacked but don’t worry they only got the direct GPS coordinates for all of your kids and family members,” said another.