Home
Date of Incident:
December 2024
Overview:
In December 2024, Coinbase experienced an insider breach where a contractor improperly accessed sensitive customer data belonging to about 30 users. The breach involved unauthorized use of support tools to obtain personal information, including email addresses, names, dates of birth, phone numbers, KYC details, and cryptocurrency wallet data. The incident was reported in February 2026. Coinbase responded by notifying affected users and offering identity theft protection. The breach was linked to techniques such as abuse of legitimate credentials and account access removal, with evidence found in access logs and API call anomalies.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Impact:
Improper access to customer information of approximately 30 users by a contractor; data included email addresses, names, date of birth, phone numbers, KYC information, cryptocurrency wallet balances, and transactions. Impacted users were notified and given identity theft protection services.
Details:
This breach involved a malicious insider (contractor) gaining unauthorized access to support tools containing sensitive customer information. The attack maps to MITRE ATT&CK techniques T1078 (Valid Accounts) for abuse of legitimate credentials, and T1531 (Account Access Removal) tactics. The PoC involved improper use of support tool interface to extract PII and KYC data, cryptocurrency wallet balances, and transaction records without triggering standard alarms. Key IOCs include the compromised contractor’s access logs from December 2024, anomalous API calls to the support backend, and snapshot files of support tool interface screenshots captured during the unauthorized sessions. Relevant logs showed timestamped access outside typical business hours and altered audit log entries indicating deletion attempts to evade detection.
Remediation:
Coinbase has advised immediate revocation of all contractor access privileges, enforced multi-factor authentication (MFA) for support tool access, and deployment of stricter role-based access control (RBAC) policies. A vendor patch included enhanced monitoring of support tool activities and alerting on suspicious screen capture tools. Temporary mitigations involve disabling external screenshot capabilities in support sessions and conducting mandatory security awareness training for contractors.
Takeaway for CISO:
The breach highlights risks of insider threats in privileged access environments, emphasizing the need for granular access controls and continuous monitoring of internal user behavior. CISOs should prioritize strengthening identity verification and anomaly detection systems to prevent insider data leaks. The incident underscores that even well-guarded external-facing platforms can be compromised internally, mandating layered security architecture.
