Coinbase says hackers bribed staff to steal customer data, demanding $20M ransom

Original Article ↗ Hacker News Discussion ↗

Scope of the breach

  • Commenters highlight that far more than “basic” data was taken: names, addresses, phone numbers, emails, last 4 of SSN, masked bank info, government ID images, balances, and transaction histories.
  • Several note this is exactly the kind of data often used for account recovery and identity verification, compounding the risk.

Ransom vs. reward fund

  • Some praise Coinbase’s stance of refusing the $20M ransom and instead offering a $20M reward for information leading to arrests, seeing it as discouraging future extortion.
  • Others say from an individual’s perspective they would rather Coinbase pay to “contain” their PII, though many respond that you can’t trust criminals to delete data and paying only invites more attacks.

Notification and messaging quality

  • Multiple users say the breach email was buried in corporate phrasing (“Important notice”) and didn’t foreground “your data was exposed,” leading to anger rather than trust.
  • Some report support agents seemingly unaware of the breach when contacted, undermining confidence in the response.

Outsourced support and insider threats

  • Heavy debate over Coinbase’s emphasis on “overseas” support agents. Many see this as scapegoating instead of owning poor access control and monitoring.
  • Others argue insider bribery happens onshore too; location matters less than pay, vetting, and compartmentalization.
  • Several insist frontline CS should not have bulk access to ID scans and full PII; access should be tightly scoped, logged, and rate‑limited.

KYC, data retention, and regulation

  • A strong thread blames KYC/AML laws for forcing companies to collect and retain highly sensitive data that then leaks, calling it a national‑security risk.
  • Others counter that KYC is necessary; the real failure is Coinbase’s security architecture and long‑term storage of raw ID images.

Security architecture and account risk

  • Concern that leaked KYC data will be usable to bypass account recovery checks or fuel targeted phishing and SIM‑swap attempts.
  • Suggestions include hardware 2FA (YubiKeys), stricter role separation, ISO‑like standards on what CS can see/do, and in‑person recovery options that effectively turn Coinbase into a de facto bank.

Broader consequences and physical risk

  • Several report a sharp rise in Coinbase‑themed phishing calls and texts in recent weeks, suspecting this breach as the source.
  • A detailed subthread warns that combining balances, addresses, and ID images increases risk of kidnapping and physical extortion of “whale” customers, citing recent crypto‑related abductions in other contexts.