On May 15, 2025, Coinbase disclosed a data breach impacting over 69,000 users. While no funds or private keys were compromised, attackers gained access to sensitive personal information, including names, addresses, government IDs, and partial Social Security numbers.

The breach didn’t happen through a technical exploit. It happened through people.

What we know so far

According to Coinbase, the breach stemmed from a social engineering campaign targeting outsourced customer support agents. Using bribes or deception, attackers gained access to the centralized exchange’s internal support systems and extracted user data over a sustained period.

This culminated in a $20 million ransom demand issued on May 11, threatening to release the stolen data if Coinbase refused to pay. Coinbase did not comply with the demand and is now cooperating with law enforcement.

Coinbase also went one step further - they set up a $20 million reward fund for information leading to the arrest and conviction of the attackers! Get more info on how to claim the bounty here.

Crucially, no account credentials, crypto funds, or private keys were stolen. But the nature of the compromised data still poses serious downstream risks.

What’s at risk?

Among the data extracted by the attackers were:

• Name, address, phone, and email - details that will allow them to target you for future attacks

• Masked Social Security number and masked bank account numbers - details that will make future social engineering attacks more believable

• Account balance and transaction history - which will allow the attackers to hone in on high-value individuals to target

• And images of your KYC documents - driver’s license, identity cards, passports - which combined with the other personal data revealed in this breach, could lead to widespread identity theft.

This breach highlights a growing threat: indirect compromises via third-party access and internal tooling. Even highly secure platforms like Coinbase can become vulnerable when attackers focus on human infrastructure rather than software vulnerabilities.

And once personal information is exposed, the next phase is often targeted social engineering.

Phishing campaigns, impersonation attempts, SIM swap attacks, and account takeovers become much easier when attackers have verified identity data, especially data associated with a crypto platform.

For users, this breach isn’t just a one-time leak. It’s an attack surface multiplier that could ripple across wallets, exchanges, and DeFi accounts in the coming months.

Coinbase’s response

Coinbase has responded with a combination of internal and structural measures:

• Terminated the compromised support agents

• Strengthened internal controls and monitoring

• Promised to reimburse affected users if financial losses occur

• Announced the creation of a new U.S.-based support hub to reduce risk from outsourced roles

These are positive steps – but they only go so far if users don’t also take proactive measures.

In a filing with the US Securities and Exchanges Commission, Coinbase estimated this hack will cost it between $180m and $400m. It said this figure came from "remediation costs and voluntary customer reimbursements", however this figure could change as a result of "potential losses, indemnification claims, and potential recoveries".

So what could you do to protect your funds on Coinbase?

What you can do now

If you’re a Coinbase user – or simply want to harden your security posture – consider these actions:

1. Enable 2FA with a hardware key

Avoid SMS-based 2FA. Use an authenticator app or, better yet, a hardware security key like YubiKey. Do this on all your platforms, not just Coinbase.

2. Treat all inbound messages with suspicion

Emails, phone calls, or texts claiming to be from Coinbase or other institutions should always be verified independently. Never click links or give information without confirming the source.

3. Monitor account activity and connected apps

Check connected wallets, apps, and logins regularly. If something looks off, or if you spot an app you are not actively using, revoke access. You can always renable access again in the future

4. Use cold storage (hardware wallets) for high-value assets

Keep long-term holdings in offline self-custody wallets (e.g., Ledger), not on centralized exchanges – no matter how reputable they are.

5. Enable “Allow Listing” on CEXs

Many centralized exchanges, including Coinbase, have an allow-listing or wallet whitelisting functionality that limits the addresses (crypto wallet or bank account) to which you can withdraw funds to. Generally, this adds another layer of security to prevent bad actors from easily withdrawing your funds. Here are instructions on how to set this up on Coinbase.

Stay Sharp

The Coinbase breach is a reminder that security isn’t just about firewalls or private keys – it’s about people, process, and visibility.

At Range, we believe that full-stack intelligence is the key to building resilience in crypto. While we can’t stop attackers from trying, we can build the tooling and habits needed to detect, understand, and respond faster.

As threats shift from code to humans and back again, the answer isn’t panic – it’s better observability, tighter access controls, and ecosystem-wide education.

Explore our products in the menu above to learn how we can help you secure your crypto assets or protocol. And if you are a team on Solana, using a Squads multisig to protect your program, treasury or token, check out our Advanced Multisig Security Solution that provides full spectrum security, including for physical devices. 

Stay sharp. Stay secure.