I have recordings proving Coinbase knew about breach months before disclosure

Original Article ↗ Hacker News Discussion ↗

Legal and Regulatory Issues

  • Commenters discuss whether the described timeline violates SEC cyber-incident rules that require disclosure within four business days once an incident is deemed “material.”
  • Speculated potential violations: late disclosure, misleading omissions to investors, inadequate internal controls, and broken disclosure processes—though nothing in the thread proves regulators’ view.
  • On suing, several note the need to show concrete, quantifiable harm; user agreements and mandatory arbitration may further constrain options.

Did This Prove Coinbase “Knew”?

  • Some readers think the January report plus Coinbase’s acknowledgment (“robust report, investigating”) indicates early awareness of a systemic breach.
  • Others argue it only proves Coinbase knew of a sophisticated attack against one user, not that they had concluded a company-wide compromise.
  • Skeptics emphasize that customers are frequently compromised via malware, OSINT, or prior breaches, so initial suspicion naturally falls on the user.
  • A few other organizations/users report similar targeted scams in early 2025, suggesting a broader pattern but not conclusively tying it to Coinbase’s internal systems.

Email, DKIM, and Technical Confusion

  • Multiple commenters are puzzled how a phishing email could have a valid DKIM signature for coinbase.com.
  • Confusion centers on a claim that both amazonses.com and coinbase.com DKIM checks passed; several note SES should not be able to sign as a domain without control of its DNS, implying either misinterpretation or a more serious compromise.
  • This part of the story is seen as unclear and under-documented in the blog post.

AI-Written Article and Style Backlash

  • A large subthread criticizes the article’s style as stereotypical “LLM slop”: overlong, heavy on bullets, dramatic section titles, neutral-but-grandiose tone.
  • The author confirms extensive AI assistance (transcription, structuring, drafting, editing) and defends it as a time-saver compared to not writing at all.
  • Many readers object that AI makes it too easy to generate thousands of words of marginal value, wasting reader time; some ask for explicit AI disclaimers so they can auto-summarize instead.
  • A minority defend the practice, arguing content should be judged on substance, not its production method.

Security, Outsourcing, and Crypto Context

  • The breach being linked to bribed overseas contractors at an outsourcing firm prompts calls to ban offshoring of sensitive financial data, with doubts about enforceability.
  • One commenter with Coinbase experience says the whiteboard-password anecdote refers to a building vendor, not Coinbase, and asserts Coinbase had a strong internal security culture.
  • Others broaden this to fintech/crypto generally, describing unreliable APIs, operational chaos, and frequent hacks, while noting that “Bitcoin” the protocol is distinct from exchanges like Coinbase.

User Experiences and Mitigations

  • Several users report Coinbase-themed scams (calls, emails, “security alerts”) in the same general period.
  • One highlights using unique, per-service email aliases so any mail to the leaked alias can be treated as hostile post-breach.
  • There is brief debate over self-custody vs custodial exchanges: “not your keys, not your coins” versus the high rate of lost wallets and keys.

Disclosure Practices and Trust

  • Some users say they only learned of the breach via social media, not direct notice, and question whether Coinbase’s customer communication met legal or ethical expectations.
  • Reports of failed account deletion, unresponsive privacy channels, and under-rewarded or buried vulnerability reports contribute to a perception that Coinbase’s handling of user data and security disclosures is opaque and self-protective.