Coinbase, the largest US-based crypto exchange on trading volume metrics, is facing intense backlash after Thursday reports indicated a rogue employee leaked sensitive customer data.
Users have taken arms after reports suggest the risk was known months before the company disclosed the incident.
Users Outraged as Data Leak Happened Months Before Disclosure
The insider breach, which reportedly affected “less than 1 %” of Coinbase’s monthly active users, has sparked widespread outrage across the crypto community. Users report being targeted in sophisticated phishing and impersonation scams.
Among them is QwQiao, an alleged targeted victim who recounts the scam’s chilling precision. QwQiao, who works in customer support at Alliance DAO, said he almost fell victim but outsmarted the bad actors.
“…I called them out at the end of the call telling them they need to step up their game because this scam is retarded. They told me that they had made $7 million that day,” he stated.
Adam Cochran, a renowned X (Twitter) figure, condemned Coinbase’s failure to protect data like government IDs and physical addresses. He says this shortfall poses risks that far exceed financial loss.
“Coinbase’s disclosure here focuses on the stolen funds, but that’s irrelevant…No element of KYC/AML policy requires this kind of stuff to be accessible to your customer support agents. I don’t want to hear about what Coinbase is doing to recover funds – I want to hear what they are doing to better deal with private data,” he expressed.
The outrage comes amid allegations that the breach occurred as far back as January. Users and analysts say Coinbase’s supposed silence left users vulnerable for months.
“Coinbase knew they got their user data stolen since January, but said nothing until now? We’ve had endless reports of Coinbase users being drained by impersonators. Now we know why,” wrote Duo Nine, a renowned analyst.
According to Duo Nine, Coinbase’s supposed oversight puts even institutional holdings at a concentrated risk. Coinbase plays a dominant role in the crypto spot ETF (exchange-traded fund) market. Specifically, it provides custody services for eight of 11 Bitcoin ETFs and eight of nine Ethereum ETFs.
Coinbase exchange also offers trading execution and market surveillance services. Notably, this is not the first time its dominance in custody services has led to concerns about its position as a potential single point of failure.
“It doesn’t bode well that nearly all crypto ETF issuers have the same custodian for all their BTC and ETH. This makes Coinbase a potential single point of failure, and that’s scary,” Eleanor Terret said recently.
Coinbase did not immediately respond to BeInCrypto’s request for comment.
Risks of the Leak Are Unpredictable and Dangerous
Meanwhile, concerns arise that this breach is uniquely disturbing because Coinbase was not hacked. Instead, it was betrayed from within. A support employee accessed and sold customer data on the black market.
To some, this presents as a glaring failure of internal controls. Bob Loukas, a position trader, spoke plainly, calling out the exchange for a lack of proper disclosure.
“You know you’re sitting on the most sought-after data, and you allowed support agents to access it in bulk. That’s unacceptable,” Loukas stated.
The implications go beyond financial theft, with Rotki founder Lefteris Karapetsas warning that centralizing real-life identity data alongside crypto balances is a “disaster waiting to happen.”
“Coinbase just proved again why centralized data honeypots are a disaster waiting to happen. KYC means handing over your identity to be leaked, sold, or extorted. The combination of data exposed here (real-life addresses, crypto addresses, and amount and real-life ID documents) is lethal,” he posted.
Rotki is a portfolio tracking app, with Karapetsas, a data protection expert, referencing a recent kidnapping attempt involving a Paris crypto leader’s family. Ariel Givner, a corporate attorney specializing in fintech, confirmed the real-world fears.
“I’ve had five individuals contact me today. They are scared for their and their family’s safety. It can get worse,” she wrote.
Intelligence experts say the incident may be part of a larger dark web sale. According to cybersecurity sources, a threat actor recently offered an 18-million-record trove from US crypto platforms.
Among them, over 432,000 Coinbase user records for $10,000, featuring names, emails, phone numbers, addresses, and more.
Coinbase has yet to address the user outrage, but it is offering a $20 million reward fund for information leading to the arrest and conviction of bad actors. The exchange said it contacted all affected victims.
“If your data was accessed, you have already received an email from [email protected]; all notifications went out at 7:20 a.m. ET to affected customers,” Coinbase Support said on X
The post Coinbase Faces Backlash After Insider Leak Incident appeared first on BeInCrypto.