- Coinbase filed a new form with the Maine Attorney General
- It confirmed when the attack happened and how many people were affected
- The company confirmed offering a bounty
We now know exactly how many people are affected by the recent Coinbase data breach – 69,461. The company confirmed the news in a new filing with the Office of the Maine Attorney General. In the filing, the company said that the attack took place in late December, 2024, and that it was spotted months later, in mid-May 2025.
It also shared a data breach notification letter it is sending out to affected people, in which it detailed what happened.
Apparently, threat actors bribed “a small number of individuals performing services for Coinbase” to have them exfiltrate sensitive customer data.
Extortions and bounties
These individuals, which were allegedly fired afterwards, stole identity information (names, dates of birth, last four digits of their social security numbers), masked bank account numbers and “some bank account identifiers”, addresses, phone numbers, email addresses, images of IDs, driver’s licenses, and passports, and different account information (transaction history, balance, transfers, and more).
The attackers then tried to extort Coinbase for $20 million, in exchange for deleting the data. Coinbase not only denied the offer, but also doubled-down on it, offering the exact same sum – $20 million, to whoever comes forward with actionable information about the identities or whereabouts of the attackers.
Earlier reports on Reuters claimed the attack might cost Coinbase between $180 million and $400 million, citing a regulatory filing the company submitted recently.
Besides offering a $20 million bounty, Coinbase also promised to “make customers whole” – by reimbursing anyone who can prove that they lost money after a social engineering attack made possible by the data stolen from the crypto exchange.
Coinbase also said it was working with law enforcement, and urged users to stay vigilant, create strong passwords, set up multi-factor authentication (MFA), and never share their login credentials with anyone.
Via TechCrunch
Leave a comment