The Coinbase data breach exposed the personal data of 69,461 customers after criminals bribed overseas support contractors to extract records from internal systems. Coinbase disclosed it on May 15, 2025, along with a $20 million ransom demand it refused to pay. The company expects the breach to cost between $180 and $400 million. It has triggered a consolidated federal lawsuit, mass arbitration, a securities case over a 7.2% stock drop, and a DOJ investigation.
Table of Contents
ToggleCoinbase Data Breach: Key Facts
| Customers affected | 69,461 (Maine Attorney General filing) |
| The breach began | December 26, 2024 (court filings say possibly September 2024) |
| Detected / disclosed | May 11, 2025 (extortion email) / May 15, 2025 (SEC 8-K and blog post) |
| Attack method | Insider bribery at an outsourced support center |
| Ransom demanded | $20 million. Refused. Coinbase put a $20M bounty on the attackers instead |
| Estimated cost | $180 to $400 million, per Coinbase’s SEC filing |
| Stock impact | COIN fell 7.2% to $244 on disclosure day |
| Legal status | Consolidated federal MDL, a lawsuit against vendor TaskUs, a securities class action. No settlement yet |
| Funds or passwords stolen? | No. But the stolen data fueled scams that cost victims tens of millions |
Coinbase Data Breach Lawsuit: Status Tracker (July 2026)
| Case | Court | Status |
|---|---|---|
| Consumer class actions (consolidated) | MDL No. 3153, S.D.N.Y., Judge Edgardo Ramos | Active. Around 20 pending actions. Coinbase’s motion to compel arbitration awaits a ruling. No settlement |
| Greenbaum Olbrantz v. TaskUs | S.D.N.Y. | Active. Amended complaint names an insider suspect. TaskUs has moved to dismiss and disputes the alleged scale |
| Securities class action (stock drop) | Federal court | Active, now on its third amended complaint. No settlement |
| Mass arbitration campaigns | Private arbitration | Ongoing sign-ups by consumer law firms |
No zero-day. No cracked encryption. No blockchain flaw. The attackers paid the people who already had access to the customer database, and that was enough. If you needed one case to prove that people, not systems, are the most exploited attack surface in security, this is it.
Below: how the breach happened, where every lawsuit stands, why the stock dropped, what affected customers should do, and what security teams can copy from Coinbase’s mistakes.
What Happened in the Coinbase Data Breach?
Criminals bribed support contractors at an outsourced facility to steal data on 69,461 Coinbase customers, then demanded $20 million to keep it quiet. Coinbase refused, went public, and offered $20 million for information leading to the attackers’ arrest.
Coinbase Data Breach Timeline
September 2024: An amended class action complaint alleges that a support agent at TaskUs, the Texas-based outsourcing firm running Coinbase support from Indore, India, started stealing customer data. Court filings say she photographed internal support screens with her phone, up to 200 customer records a day, and was paid around $200 per photo by hackers tied to a criminal group called “the Comm.” She allegedly recruited supervisors and team leaders, turning solo theft into what plaintiffs describe as a hub-and-spoke conspiracy.
December 26, 2024: The start date of unauthorized access, per Coinbase’s regulatory filing.
January 2025: The alleged central insider was arrested. Investigators say her phone held data belonging to more than 10,000 Coinbase customers. The same month, TaskUs fired 226 employees at its Indore facility. Court filings claim the scheme had spread so far that the company could not identify everyone involved. TaskUs disputes that account and says its investigation found two employees who stole data; both were reported to Coinbase and fired immediately.
May 11, 2025: Coinbase received an extortion email demanding $20 million, claiming the sender held customer data and internal documents.
May 15, 2025: Coinbase disclosed the breach in an SEC Form 8-K and a blog post, refused the ransom, and announced the reward fund. Notification emails went out that morning. COIN fell 7.2% by market close.
August 2025: The Judicial Panel on Multidistrict Litigation consolidated the customer lawsuits into MDL No. 3153 in the Southern District of New York.
What Customer Data Was Exposed?
- Full names, dates of birth, home addresses, phone numbers, and email addresses
- Last four digits of Social Security numbers
- Masked bank account numbers and bank identifiers
- Images of government-issued IDs, including driver’s licenses and passports
- Account balances and transaction history
- Some internal documents, training material, and support communications
Passwords, private keys, seed phrases, and 2FA codes were not exposed. No funds were taken directly from accounts.
Cold comfort, though. A scammer who knows your name, phone number, ID, and exact account balance sounds completely legitimate on the phone.
How Did Scammers Use the Stolen Coinbase Data?
The attackers posed as Coinbase support in calls and messages. Victims were told their accounts were at risk and talked into “securing” funds by moving crypto to wallets the attackers controlled.
The fallout:
- Blockchain investigators traced more than $65 million in losses to scams connected to the stolen data.
- In one reported case, a 72-year-old woman lost $36,000 to a caller who could recite her real account details.
- Court filings describe victims bombarded daily by scam calls and texts. Some, whose crypto holdings are now known to criminals, say they have hired bodyguards out of fear of physical attacks. Their lawyers argue the “less than 1% of users” framing vastly underestimates the real-world blast radius.
83% of organizations have experienced vishing attempts aimed at extracting OTPs or getting MFA prompts approved. Once attackers hold your personal data, a phone call is their best weapon. That is the reason vishing awareness and simulation training now sit on so many security roadmaps.
Who Are “the Comm”? The Hackers Behind the Breach
Not Russian ransomware gangs. Not North Korean state hackers. A Fortune investigation traced the attack to a loose network of English-speaking teenagers and twentysomethings who call themselves “the Comm,” short for the Community.
One person claiming to be among the hackers exchanged Telegram messages with Fortune in the days after the disclosure, sharing screenshots of extortion emails with Coinbase’s security team. Two independent security researchers who spoke with him found the account credible. The tone of the exchanges was pure contempt: alongside the $20 million Bitcoin demand, the hackers joked about spending part of the proceeds on the Coinbase CEO’s appearance.
And according to a person familiar with the incident, the same crew targeted other outsourcing firms too, in some cases successfully.
How Did Coinbase Respond to the Data Breach?
Coinbase’s response:
- Turned the $20 million ransom demand into a $20 million bounty on the attackers.
- Reimbursed customers who were tricked into sending crypto to the scammers.
- Gave affected customers a year of free credit monitoring and identity protection.
- Fired the insiders on the spot, referred them to US and international law enforcement, and ended its relationship with TaskUs.
- Tagged the attackers’ wallet addresses with industry partners so authorities can track and work to recover stolen funds.
- Added safeguards: extra ID checks on large withdrawals from flagged accounts, scam warnings inside the product, a new US-based support hub, and more investment in insider threat detection.
- Cooperated with law enforcement, including a US Department of Justice investigation.
Coinbase Data Breach Lawsuit: Where Do the Cases Stand?
The litigation runs on three tracks: the consolidated consumer cases, a lawsuit against the vendor TaskUs, and a securities class action over the stock drop.
1. The Consumer MDL and Mass Arbitration
In August 2025, the Judicial Panel on Multidistrict Litigation consolidated the scattered customer lawsuits into a single proceeding: In re Coinbase Customer Data Security Breach Litigation, MDL No. 3153, in the Southern District of New York before Judge Edgardo Ramos. The panel picked New York partly because Coinbase has corporate offices there and a major data center nearby. By early 2026 the MDL held around 20 pending actions, with claims including negligence, breach of implied contract, breach of fiduciary duty, invasion of privacy, and unjust enrichment.
The fight that matters most is procedural. Coinbase filed a motion to compel arbitration, pointing to the arbitration clause in its user agreement. If the court grants it, most customers will pursue individual arbitration rather than a class trial. As of mid-2026, no ruling on that motion has been publicly recorded, and no settlement has been reported. In parallel, several consumer firms are running mass arbitration campaigns, filing thousands of individual claims at once.
2. The TaskUs Lawsuit
The law firm Greenbaum Olbrantz sued TaskUs directly. Suing the vendor keeps the case in open court and gets around Coinbase’s arbitration clause. The amended complaint:
- Names a former TaskUs employee at the Indore facility as the central suspect and cites a cooperating whistleblower
- Describes the screen-photographing scheme, the $200-per-image payments, and the recruitment of supervisors into the operation
- Alleges TaskUs tried to bury internal knowledge of the breach, including by firing HR staff who were investigating it, and stayed silent in regulatory filings while a $1.6 billion acquisition deal was in progress
TaskUs has moved to dismiss, calls the allegations meritless, and maintains that only two employees were involved.
3. The Coinbase Data Breach Lawsuit Over the Stock Drop
On May 22, 2025, investor Brady Nessler filed a securities class action arguing that Coinbase’s delayed disclosure kept its stock artificially high, and shareholders paid for it when the truth came out.
The facts behind the stock drop claim:
- COIN fell 7.2% on May 15, 2025, closing at $244.
- The breach started in December 2024 but was not disclosed until May 2025. Reuters reported that Coinbase learned of the breach months earlier, possibly as early as January 2025, when TaskUs fired the employees involved. That timeline is now the heart of the case: if the company knew in January, shareholders argue, the market should not have found out in May.
- Defendants include Coinbase, CEO Brian Armstrong, and CFO Alesia Haas. The proposed class covers investors who bought COIN between April 14, 2021, and May 14, 2025.
- The complaint also cites a previously undisclosed £3.5 million UK FCA fine against subsidiary CB Payments, which caused an earlier 5.52% drop.
- Coinbase’s own $180 to $400 million cost estimate appears in the suit as proof of material impact.
The case remains active in 2026, now on its third amended complaint, with no settlement reported. SEC cybersecurity rules require prompt disclosure of material breaches, and a months-long gap between knowledge and disclosure is exactly what securities plaintiffs and regulators go looking for.
Has Coinbase Been Breached Before?
Yes, and the pattern is hard to ignore.
In 2021, hackers gained unauthorized access to accounts on the platform, and Coinbase had to notify more than 6,000 customers. Some lost cryptocurrency, and the exposed data carried an identity theft risk on top of that.
In February 2023, the “0ktapus” group, which hit more than 130 companies, including Twilio, Cloudflare, and MailChimp, sent Coinbase employees a fake “important corporate notification” SMS linking to a spoofed login page. One employee entered their credentials. Hardware-key MFA blocked the direct login, so about 20 minutes later, the attacker called the same employee pretending to be Coinbase IT and talked them into installing remote access software. Coinbase’s detection tools flagged the activity within minutes, and the security team cut the attacker off before customer data was compromised. Limited employee contact information was exposed.
Three incidents, three different techniques: account takeover, SMS phishing followed by a vishing call, and finally insider bribery. Not one of them exploited a software vulnerability. Every single one went through a person.
What Was the Root Cause of the Coinbase Data Breach?
The root cause was human. Insiders at a third-party vendor were bribed to abuse access they legitimately had, and nobody noticed for months.
The research backs this up:
- A joint study by Stanford University researchers and Tessian found around 88% of data breaches are caused by human error. IBM Security research puts it as high as 95%.
- Oracle’s Security in the Age of AI report found C-suite executives rank human error as the top cybersecurity risk to their organizations.
- The average organization faces more than 700 social engineering attacks per year.
- Phishing remains the most common attack type, and financial services is among the most targeted sectors.
Those numbers usually get read as “train your employees.” The Coinbase breach shows the human layer is wider than that: it includes every contractor and vendor employee who can touch your data.
The economics tell you why bribery worked. Entry-level support staff at the Indore facility earn roughly $4,000 to $6,000 a year. The equivalent US role pays about $43,000. Against a $5,000 salary, $200 per photograph is not a bribe; it is a second income.
Coinbase is in familiar company here. The 2022 Uber breach occurred when an employee handed credentials to someone posing as a co-worker, giving attackers a path into systems that held consumer and financial data. OCBC Bank lost $13.7 million to an SMS phishing scam that fooled its customers. And Coinbase was not the only crypto target: criminals reportedly ran the same bribery playbook against Binance and Kraken employees. Binance blocked approaches using AI-driven monitoring of internal communications and restricting support agents’ access to customer data unless a verified customer initiated contact. That is the control set that failed at TaskUs; it works as intended elsewhere.
At Coinbase, three failures lined up:
- Privileged access without enough monitoring. Support contractors could view sensitive customer PII, and the theft, sometimes done by literally photographing screens, ran for months.
- Third-party blind spots. The breach happened at a vendor, not inside Coinbase. Your perimeter runs through every outsourced seat that can see your data.
- Bribery as social engineering. The attackers did not trick an insider. They paid one. Awareness, ethics, and a culture where staff report suspicious approaches are the only defenses that reach this vector.
The Bigger Lesson: Outsourced Support Is the New Attack Surface
Business process outsourcing keeps Big Tech’s support costs down by staffing operations overseas. It also hands thousands of low-paid workers direct access to customer PII, often in facilities the client never audits in person.
The Coinbase hackers understood this better than most security teams do. They did not attack Coinbase. They attacked the BPO. For an attacker, a BPO is the perfect target: one compromised facility can hold support-level access to a dozen major brands at once.
If your company uses outsourced support, the question is not whether your vendor’s staff will be approached. It is whether they will report the approach or take the money. That depends entirely on the controls and culture you demand from your vendors.
What Should Affected Coinbase Customers Do?
If your data was caught up in the Coinbase customer data breach:
- Treat every unsolicited “Coinbase” contact as hostile. Coinbase will never call to ask you to move funds, share a password or 2FA code, or install remote access software. Hang up. Reach support only through the official app or website.
- Check links before you click. Run anything claiming to be from Coinbase through a phishing URL checker first.
- Upgrade your 2FA. Move from SMS codes to an authenticator app, or better, a hardware key. A scam caller cannot talk a hardware key out of you.
- Use the free credit monitoring Coinbase offered, and consider a credit freeze, since ID images and partial SSNs were exposed.
- Watch your accounts. Stolen data circulates on dark web markets long after the breach itself.
- Know your legal options. Claims are moving through the MDL and mass arbitration, and Coinbase has committed to reimbursing users who were tricked into sending funds.
How Can Organizations Prevent a Coinbase-Style Data Breach?
Are your employees and your vendors’ employees actually equipped to stop a breach at their level? Coinbase had strong technical controls. They did not matter. Here is where CISOs and CIOs should focus.
Regular, Simulation-Based Training
Regular employee training against phishing, vishing, smishing, pretexting, and bribery approaches works best when it is hands-on. Staff who have faced realistic simulated attacks spot and report the real thing far more often. Threatcop Security Awareness Training (TSAT) simulates vishing and smishing attacks and tracks each employee’s vulnerability over time. Threatcop LMS (TLMS) replaces the once-a-year checkbox course with continuous, scenario-based learning.
Implement Security Protocols and Policies
Put the rules in writing: who can access what data, how it can be shared and stored, and what happens when someone suspects a breach. Verification procedures matter most. No employee should ever install remote access software or hand over credentials because of an unsolicited call. Coinbase built withdrawal verification, scam prompts, and insider threat detection after the breach. Build them before.
Extend Controls to Third-Party Vendors
This breach started at an outsourced support center. Wherever contractors handle customer PII: least-privilege access, data masking inside support tools, screen capture blocking, session recording and monitoring, anomaly detection on data access, and regular vendor audits. Binance’s playbook is worth copying: restrict support access to customer data unless a verified customer initiates contact, and monitor internal channels for recruitment approaches. A serious people security management program covers every human with access, on your payroll or not.
Deploy Phishing-Resistant MFA
Hardware security keys cannot be phished or read out over the phone the way SMS codes can. After the breach, attackers went straight for customers’ OTPs through impersonation calls. SMS-based 2FA was the weak link they were counting on.
Coinbase is a security-mature company, and it still got burned at the human level. Train your people, test them with simulations, watch for insider threats, and build a culture where verification comes before trust.
Coinbase Data Breach Statistics
- 69,461 customers had personal data stolen (Maine Attorney General filing)
- $180 to $400 million: Coinbase’s estimated remediation and reimbursement cost (SEC 8-K)
- $65+ million in customer scam losses traced by blockchain investigators
- 7.2%: COIN’s single-day stock drop on disclosure, closing at $244
- $20 million: the ransom demanded, matched by Coinbase’s bounty on the attackers
- $200: the alleged price paid per photographed customer record
- 200 records a day: the alleged peak theft rate by the central insider
- 10,000+ customers’ data found on one insider’s phone at her January 2025 arrest
- 226 employees fired at the TaskUs Indore facility in January 2025
- ~20 lawsuits consolidated in MDL No. 3153 as of early 2026
- 5 months between the breach starting (December 2024) and public disclosure (May 2025)
- $4,000 to $6,000: annual salary of entry-level support staff at the facility, versus roughly $43,000 for the equivalent US role
FAQs
What is the Coinbase data breach?
A 2025 incident in which criminals bribed overseas support contractors to steal the personal data of 69,461 Coinbase customers. Coinbase disclosed it on May 15, 2025, and refused a $20 million ransom demand.
Is there a Coinbase data breach lawsuit?
Yes. Customer lawsuits were consolidated into a federal MDL in the Southern District of New York; a separate class action targets vendor TaskUs; and shareholders filed a securities class action. Mass arbitration claims are also being filed.
What is the Coinbase MDL?
MDL No. 3153, In re Coinbase Customer Data Security Breach Litigation, is the consolidated federal proceeding before Judge Edgardo Ramos in the Southern District of New York. Around 20 actions are pending, and Coinbase's motion to send claims to arbitration awaits a ruling.
How do I know if I was affected by the Coinbase data breach?
Coinbase emailed every affected customer from [email protected] at 7:20 a.m. ET on May 15, 2025. If you did not receive that notice, your data was not part of the breach; if unsure, verify through support in the official Coinbase app.
This article is based on SEC filings, JPML transfer orders, court documents in MDL No. 3153, and reporting by Fortune, Reuters, Decrypt, and Infosecurity Magazine. Last reviewed July 2026.
Security Compliance Executive
Department: Compliance, Threatcop
Sanjana is a Security Compliance Executive working on best-of-the-industry-level compliances relevant from a cybersecurity perspective, their implementation, learning and outcomes in various business domains.
Security Compliance Executive Department: Compliance, Threatcop Sanjana is a Security Compliance Executive working on best-of-the-industry-level compliances relevant from a cybersecurity perspective, their implementation, learning and outcomes in various business domains.
