Coinbase disclosed on Thursday that cyber attackers stole sensitive customer information. The stolen data included names, emails, phone numbers, home addresses, portions of Social Security numbers, some bank account identifiers, and snippets of transaction history. The breach affected under 1% of Coinbase’s monthly trading customers.
Ransom Demand Met with Bounty Offer
Attackers demanded a $20 million ransom to keep the data private. Coinbase refused to pay. Instead, CEO Brian Armstrong announced a $20 million bounty for information leading to the attackers’ arrest and conviction. The company will also compensate any customers harmed by the incident.
Financial Impact of the Breach
In its SEC filing, Coinbase estimated the breach’s cost at $180 million to $400 million. A spokesperson clarified that most of these funds will fund the bounty program and customer compensation. Coinbase emphasized that no passwords or private wallet codes were exposed.
SEC Revisits User Metrics Reporting
On the same day, the New York Times reported that the U.S. Securities and Exchange Commission is probing whether Coinbase misreported historic user data. The inquiry focuses on the “verified users” metric, which Coinbase stopped reporting in early 2023. Chief Legal Officer Paul Grewal explained that the metric simply counted all customers who verified an email or phone number and may have overstated actual active users.
Legacy Investigation, Ongoing Cooperation
Grewal called the SEC’s review a “legacy investigation from the previous administration” into a metric Coinbase no longer uses. He said the company remains committed to working with the SEC to resolve the matter. The SEC declined to comment.
Setbacks Amid Recent Successes
These developments come after a string of victories for Coinbase. Last week, the exchange announced a $2.9 billion acquisition of crypto options platform Deribit. Earlier this week, Coinbase was added to the S&P 500 index, a milestone that CEO Armstrong said signals crypto’s growing mainstream acceptance.
Leadership Response and Next Steps
On Thursday morning, Armstrong posted on X to address concerns. He reassured users that Coinbase will not pay ransoms and is taking all steps to secure customer data. He also highlighted the company’s readiness to work with regulators and uphold transparency in its reporting practices.
Related topics:
