Full Report
Claims he reported the attack in January after fraudsters tried to scam him A security researcher says Coinbase knew about a December 2024 security breach during which miscreants bribed its support staff into handing over almost 70,000 customers' details at least four months before it disclosed the data theft.…
Analysis Summary
# Incident Report: Coinbase Support Staff Compromise and Delayed Disclosure
## Executive Summary
A security researcher, Jonathan Clark, alleges that Coinbase suffered a significant data breach in December 2024 where internal support staff credentials were compromised, potentially through bribery, leading to the theft of data belonging to nearly 70,000 customers. Clark discovered this compromise after being targeted by an attempted social engineering scam in January 2025 that utilized the stolen data, which he then reported to Coinbase that same day. Coinbase reportedly failed to act on the researcher's detailed report for four months, ultimately disclosing the breach only in May 2025.
## Incident Details
- Discovery Date: January 7, 2025 (Disclosed via security report by Jonathan Clark)
- Incident Date (Alleged Breach): December 26, 2024
- Incident Date (Observed Impact): January 7, 2025 (Social engineering attempt against Clark)
- Affected Organization: Coinbase
- Sector: Financial Technology (Cryptocurrency Exchange)
- Geography: Undisclosed (Attack observed in US context)
## Timeline of Events
### Initial Access
- Date/Time: December 2024 (Specific date unclear, but leading to exfiltration)
- Vector: Insider Threat / Bribery of Support Staff
- Details: Miscreants bribed Coinbase support staff to gain access to sensitive customer data.
### Lateral Movement
- Date/Time: Circumvention of internal controls occurred before December 26, 2024.
- Vector: Staff Access / Internal Systems
- Details: Attackers utilized compromised employee credentials to access customer records within the internal systems.
### Data Exfiltration/Impact
- Date/Time: On or before December 26, 2024.
- Details: Theft of personally identifiable information (PII) and financial data for approximately 69,461 customers.
### Detection & Response
- Date/Time (Researcher Detection): January 7, 2025. Researcher Jonathan Clark was targeted by a scam using detailed stolen data, prompting him to report the intrusion to Coinbase security@.
- Date/Time (Coinbase Acknowledgment): January 7, 2025. Head of Trust and Safety, Brett Farmer, acknowledged receipt and promised an investigation.
- Date/Time (Coinbase Inaction): January 7 - Early May 2025. Researcher sent four follow-up reports, receiving no further substantive reply.
- Date/Time (Official Disclosure): May 2025 (Reported to SEC).
## Attack Methodology
- Initial Access: Bribery/Compromise of Support Staff Accounts (Insider Threat vector).
- Persistence: Not explicitly detailed, but likely sustained access via compromised support tools or ongoing collusion.
- Privilege Escalation: Not applicable in the traditional sense; access was granted via compromised authorized credentials.
- Defense Evasion: Not applicable, as access relied on legitimate, albeit misused, employee permissions.
- Credential Access: Bribing support staff implies direct credential theft or unauthorized use of logged-in sessions belonging to staff members.
- Discovery: The researcher discovered the data compromise by being the target of a highly detailed social engineering attack stemming from the stolen data.
- Lateral Movement: Movement was focused on accessing the centralized customer database tier accessible to support personnel.
- Collection: Gathering of PII, financial details, transaction history, and account metadata.
- Exfiltration: Direct data transfer from internal systems via compromised staff endpoints/access methods.
- Impact: Unauthorized disclosure of sensitive user data.
## Impact Assessment
- Financial: Undisclosed costs associated with the breach/response; potential costs related to fraud committed against affected customers.
- Data Breach: **69,461 customer records** compromised. Data included: Name, Date of Birth, Last Four SSN digits, Address, Phone Number, Email Address, Driver's License Number, Passport Number, National Identity Card Number, Transaction History, Balance, Transfer Data, and Account Opening Date.
- Operational: Potential disruption to customer trust and internal ticketing systems due to high-volume follow-up reporting.
- Reputational: Significant negative impact due to the four-month delay between actionable reporting and public disclosure.
## Indicators of Compromise
- Network indicators: Phishing email source identified as Amazon SES (not Coinbase official servers).
- Behavioral indicators: Outbound call utilized a Google Voice number rather than a corporate line. Attackers demonstrated deep knowledge of the victim's specific account details.
## Response Actions
- Containment: Coinbase purportedly began an investigation after January 7, 2025, though efficacy and timeline are disputed.
- Eradication: Implied, but undocumented, steps taken between May and November 2025 to mitigate data exposure vectors and staff access upon formal acknowledgment.
- Recovery actions: Not detailed in the source material, beyond the public filing made in May 2025.
## Lessons Learned
- **Insider Threat Handling:** The case highlights a critical failure in process when receiving a high-quality, actionable security report from an external researcher.
- **Internal Controls:** The ability for miscreants to bribe support staff indicates weak access controls or insufficient security monitoring around high-privilege customer data access points.
- **Incident Disclosure Timing:** The perceived four-month delay between actionable discovery (Jan 7) and public disclosure (May) suggests a significant internal backlog or unwillingness to disclose the scope of the internal compromise promptly.
## Recommendations
- Immediately review and enhance logging and auditing of all customer data access performed by Level 1/2 support staff.
- Implement stricter authentication and authorization protocols, specifically separating duties and limiting the scope of data viewable by general support personnel.
- Establish a formalized, high-priority triage and escalation path for comprehensive security reports received via the security@ email alias, bypassing standard support queues.
- Conduct mandatory retraining focusing on social engineering tactics targeting internal staff, emphasizing that proof of identity must come from verified, corporate channels, not by revealing customer data.