Breach taxonomy
Summary
On May 11, 2025, Coinbase received an extortion demand from an unknown threat actor who had bribed multiple contractors and employees in overseas support roles to steal customer data from internal systems. The stolen data included names, addresses, phone/email, partial SSNs, masked bank account numbers, government ID images, and account balances/transaction histories. Coinbase refused the ransom demand, terminated the implicated personnel, and is cooperating with law enforcement. The company estimated preliminary expenses of approximately $180 million to $400 million for remediation costs and voluntary customer reimbursements; no customer passwords, private keys, or funds were compromised.
Tagging rationale
ThreatCyber Criminals
Filing states 'an unknown threat actor' demanded money after orchestrating a bribery scheme against support contractors to steal data, indicating financially motivated cybercriminals -> CYBER-CRIMINALS.
MethodsData ExfilPriv Abuse
The threat actor paid contractors/employees to collect customer data from internal systems using their legitimate access beyond business need (PRIV-ABUSE), resulting in active data exfiltration from Coinbase systems (DATA-EXFIL).
AssetsPersonal DataConfidential Biz
Stolen data included customer names, addresses, phone/email, partial SSNs, masked bank account numbers, government ID images, account data (balance snapshots and transaction history), and limited corporate documentation -> PERSONAL-DATA and CONFIDENTIAL-BIZ.
EffectsCyber ExtortionInfo Privacy Loss
The threat actor demanded money in exchange for not disclosing the stolen data (CYBER-EXTORTION); significant customer PII including partial SSNs and government IDs was stolen (INFO-PRIVACY-LOSS).
Impact
Estimated remediation costs and voluntary customer reimbursements of $180M-$400M; large-scale theft of sensitive PII including partial SSNs and government IDs from a major financial services platform; refused ransom demand; law enforcement investigation ongoing -> score 5.
InsuranceNot disclosed
Filing makes no mention of insurance -> null.
Read the original SEC filing excerpt
Item 1.05 Material Cybersecurity Incident. On May 11, 2025, Coinbase, Inc., a subsidiary of Coinbase Global, Inc. ("Coinbase" or the "Company"), received an email communication from an unknown threat actor claiming to have obtained information about certain Coinbase customer accounts, as well as internal Coinbase documentation, including materials relating to customer-service and account-management systems. The communication demanded money in exchange for not publicly disclosing the information. The threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States to collect information from internal Coinbase systems to which they had access in order to perform their job responsibilities. These instances of such personnel accessing data without business need were independently detected by the Company's security monitoring in the previous months. Upon discovery, the Company had immediately terminated the personnel involved and also implemented heightened fraud-monitoring protections and warned customers whose information was potentially accessed in order to prevent misuse of any compromised information. Since receipt of the email, the Company has assessed the email to be credible, and has concluded that these prior instances of improper data access were part of a single campaign (the "Incident") that succeeded in taking data from internal systems. The Company has not paid the threat actor's demand and is cooperating with law enforcement in the investigation of this Incident. The Incident did not involve the compromise of passwords or private keys, and at no time were any of the targeted contractors or employees able to access customer funds. While the Company is still investigating the affected data, it included: Name, address, phone, and email; Masked Social Security (last 4 digits only); Masked bank-account numbers and some bank account identifiers; Government-ID images (e.g., driver's license, passport); Account data (balance snapshots and transaction history); and Limited corporate data (including documents, training material, and communications available to support agents). The Company is continuing to review and bolster its anti-fraud protections to mitigate the risk that the compromised information could be used in social-engineering attempts. To the extent any eligible retail customers previously sent funds to the threat actor as a direct result of this Incident, the Company intends to voluntarily reimburse them after it completes its review to confirm the facts. The Company is also in the process of opening a new support hub in the United States and taking other measures to harden its defenses to prevent this type of incident. While Coinbase has not experienced material operational impacts from these events as of the date hereof, the full financial impact of the Incident on the Company is still in the process of being assessed. Based on the information available to the Company on the date hereof and based on facts that continue to evolve, the Company has preliminarily estimated expenses to be within the range of approximately $180 million to $400 million relating to remediation costs and voluntary customer reimbursements relating to this Incident, prior to further review of potential losses, indemnification claims, and potential recoveries.