Coinbase Email Breach: Threat Actor Demands Ransom After Accessing Internal Data

In a chilling turn of events, Coinbase (NASDAQ: COIN) revealed it received an email on May 11, 2025, from an unidentified threat actor claiming access to customer and internal data. This actor demanded payment in exchange for silence—threatening to leak sensitive documents related to customer service systems. Investigations trace the breach to foreign contractors who abused their internal access for months before Coinbase’s security systems flagged the activity. Those involved were swiftly terminated, and affected customers were notified. The stolen data is no small matter: names, contact information, masked Social Security digits, bank account identifiers, ID images, and transaction histories were all compromised.

Coinbase has confirmed that no passwords or private keys were exposed, and customer funds remain untouched. Nonetheless, the risk of phishing and social engineering attempts looms large. The company is now building a new U.S.-based support hub and fortifying its fraud defenses. While operations remain stable, the financial blowback is significant. Coinbase anticipates costs between $180M and $400M for damage control and voluntary reimbursements, with the final number still evolving. Law enforcement is involved, and the crypto giant promises to pursue every legal remedy. This email wasn’t just a warning—it spotlighted a critical weak link in Coinbase’s global workforce model.
Source.