Crypto exchange Coinbase: data leak after cyber attack

The crypto exchange Coinbase has fallen victim to an IT incident. Attackers were able to steal sensitive data. They blackmailed the company into publishing the data. It is currently unclear which cyber gang is behind the attack.

In a notification to the US Securities and Exchange Commission (SEC) with an 8-K form, Coinbase provides some information about the incident. According to the filing, Coinbase Global Inc. subsidiary Coinbase Inc. received an email from unknown threat actors claiming to have obtained information on certain Coinbase customer accounts as well as internal Coinbase documentation, including customer service materials and account management systems.

Coinbase: Hush money demand received

To prevent the perpetrators from publishing the information, Coinbase is to pay money – but the company is not naming the amount demanded. “The threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States to gather information from internal Coinbase systems that they had access to for their jobs,” Coinbase discusses in the notification form.

The company further explains, “These instances of these employees accessing data without a business need were independently uncovered by the company's security monitoring in the preceding months. Upon discovery, the company immediately terminated the affected employees and also implemented enhanced fraud monitoring safeguards. In addition, customers whose data may have been accessed were warned to prevent misuse of the compromised data.”

Investigations since the email was received have revealed that it appears to be genuine. The previous incidents of unauthorized data access are therefore part of a single campaign – the current IT incident. Coinbase has not paid the attackers' demand for money and is cooperating with law enforcement in the investigation of the incident.

According to Coinbase, passwords and private keys were not affected, and the contractors and external employees were also unable to access customer deposits. However, the perpetrators were able to copy the following data: Name, address, phone and email, partially anonymized social security number (last four digits recognizable), anonymized bank account numbers, images of government-issued identification such as driver's licenses or passports, account data such as balance snapshots and transaction history, and limited company data such as documents, training materials and communications accessible to support staff.

Coinbase intends to tighten anti-fraud measures to mitigate the risk of the stolen information being misused in social engineering attacks. “To the extent that eligible retail customers have already transferred funds to the threat actor as a direct result of this incident, the company intends to voluntarily refund them upon completion of its review to confirm the facts.” Coinbase expects the incident to cost between 180 and 400 million US dollars (160 to 360 million euros).

The announcement comes at a somewhat unfortunate time. Next Monday, Coinbase is to be included in the renowned S&P 500 index. Following the announcement, Coinbase shares jumped as expected. However, the IT security incident has not yet had any impact on the crypto exchange's share price.

(dmk)