Coinbase has publicly acknowledged a significant insider breach involving a contractor who accessed the personal data of approximately 30 customers without authorization. This incident underscores ongoing vulnerabilities in data security, particularly concerning insider threats.
A spokesperson for Coinbase confirmed that the situation arose when their security team detected unauthorized access by a contractor, resulting in a breach affecting a small number of users. Following this discovery, the contractor was terminated, and the impacted customers were promptly notified. They were also offered identity theft protection services as a precautionary measure, and the incident has been reported to regulatory authorities.
While limited details have emerged regarding the specifics of the breach, reports indicate that the incident may be linked to posts made by the ransomware group Scattered Lapsus Hunters (SLH). Notably, these posts included deleted screenshots that allegedly displayed an internal Coinbase support interface containing critical customer information, such as names, email addresses, dates of birth, and cryptocurrency wallet balances.
The screenshots were rumored to have been obtained through bribery, echoing a previous incident in May 2025 when cybercriminals successfully compromised Coinbase’s data through bribed overseas support agents. In that case, attackers stole and sought to ransom $400 million worth of customer data, leading Coinbase to issue a $20 million bounty for information on the perpetrators.
It is crucial to recognize that in both situations, the attackers may have exploited the insiders’ privileges to gain access to sensitive information, which aligns with tactics documented in the MITRE ATT&CK framework. Techniques such as initial access through social engineering and exploitation of privilege escalation may have been at play, facilitating unauthorized data access.
In the aftermath of the latest breach, Coinbase has reassured its users that no critical assets, including private keys or funds, were compromised. The company emphasized a commitment to safeguarding customer data and offering support to those who may have been affected, reaffirming its stance against cybercriminal activities.
As the cybersecurity landscape evolves, this incident serves as a reminder for business owners to maintain vigilance against insider threats and establish robust protocols to mitigate risks associated with unauthorized access to sensitive data. Adopting a proactive approach to security can help organizations safeguard their information and build resilience against future attacks.