Coinbase Reveals 69,461 Users Affected in December 2024 Data Heist

Coinbase, Inc. disclosed that personal data from 69,461 individuals was compromised in a December 2024 breach, according to a filing with the Maine Attorney General’s Office. Details of the incident surfaced after the crypto exchange revealed last week that attackers demanded a $20 million bounty, threatening to release the stolen data on the dark web. Bad actors used cash incentives to bribe foreign-based customer support agents and extract system information.

Coinbase previously noted that the breach impacted less than 1% of its monthly transacting users and included know-your-customer (KYC) details such as names, addresses, and emails. The company stated in a filing with the U.S. Securities and Exchange Commission that passwords, private keys, and user funds were not affected.

Following the reports, the SEC reportedly opened an official inquiry on whether Coinbase inflated its user metrics ahead of its 2021 initial public offering. Separately, the Department of Justice is investigating the breach, at Coinbase’s request, according to CEO Brian Armstrong. Despite the regulatory pressure, analysts downplayed the incident, and Coinbase CLO Paul Grewal described the SEC’s probe as a “holdover investigation” from the prior administration.

Meanwhile, Coinbase was criticized for its delayed response to the data breach. Michael Arrington, American founder and investor, said that the pilfered data could lead to mortal harm. “It probably has already,” Arrington wrote on X. “The human cost, denominated in misery, is much larger than the $400m or so they think it will actually cost the company to reimburse people.”

Coinbase estimates the matter could cost around $180 million and $400 million in remediation and customer reimbursement expenses. Arrington also condemned KYC laws as ineffective and dangerous, calling on both regulators and corporations to better protect user data. “Combining these KYC laws with corporate profit maximization and lax laws on penalties for hacks like these means these issues will continue to happen. Both governments and corporations need to step up to stop this. As I said, the cost can only be measured in human suffering.”