Coinbase breach fallout: What to do if your data was exposed
Here’s some steps you can take to protect yourself, your crypto, and your loved ones
Art by Crystal Le | Coinbase modified by Blockworks
This is a segment from The Drop newsletter. To read full editions, subscribe.
Coinbase said on Thursday that “less than 1%” of its monthly users’ personal identifiable information has been exposed in a breach, including names, addresses, phone numbers, the last four digits of Social Security numbers, government ID data and other information.
According to the exchange, “overseas” Coinbase support agents gave private customer data — including government IDs and customer addresses, among other info — to scammers. The scammers are believed to be using that data to target Coinbase customers via social engineering scams.
Coinbase has declined to pay the $20 million bitcoin ransom the attackers reportedly demanded. CEO Brian Armstrong says they’re taking steps to prevent something like this from happening again, and they are paying back those who were impacted by the incident.
Coinbase estimates this data breach may cost it anywhere from $180 million to $400 million.
“People are terrified,” wrote crypto and IP attorney Ariel Givner in a post, reporting that she has received multiple concerned messages from clients who were notified that their information was exposed in the Coinbase breach.
So what can people do to protect themselves from data breaches, which have become increasingly common?
If you were notified by Coinbase that your data was impacted and you want to be cautious, there are a number of things you can do. Identity theft, fraud in your name, and targeted financial scams toward you or your immediate family are the most likely areas of concern.
There are personal information removal services out there, like DeleteMe, that can remove information about you from the internet. You can also request this through Google. But if the data is already in an attacker’s hands, you may want to consider blurring out your home from Google Maps’ street view and freezing your credit to stop anyone from opening lines of credit in your name. And as Microsoft suggests, you may want to place a fraud alert with the major credit bureaus.
For further awareness, you may want to warn immediate family members and close friends that attackers may attempt to socially engineer them in a scam tied to you. You can also talk to loved ones about having a secret word or phrase that’s unrelated to your personal info that you use to verify your identity with them.
The Texas Attorney General’s office advises Americans to not use debit cards for online purchases, and to only use one credit card for online purchases to streamline and better protect your online identity.
California’s Attorney General agrees that using antivirus software, being wary of unrequested phone calls, and being careful to not click on potential “phishing” emails are additional ways to protect yourself. Opting out of pre-approved credit card offers is another way to prevent credit card fraud in your name, and it’s good practice to review monthly statements and free annual credit reports.
When it comes to crypto, of course, never share your seed phrase or recovery phrase — or even your wallet password — with anyone, including those who claim to be customer support. Only storing recovery phrases on pen and paper in a safe location is your best bet.
You can also consider using an encrypted password manager app, ensure two-factor authentication via an authenticator app is enabled on as many accounts as possible, and make sure you’re using strong, unique passwords for every account you have.
Coinbase is telling users to “expect imposters” and to turn on withdrawal allow-listing, lock their Coinbase accounts if something feels off, and review tips on avoiding social engineering scams.
Data breaches, more broadly, are unfortunately common. Last year, AT&T, UnitedHealth’s Change Healthcare, Ticketmaster, Dell, Disney, Roku, Trello, and other companies, government entities and data brokers faced data breaches. Sometimes, such breaches result in class-action lawsuits or government-issued fines, with the average data breach costing a company $4.88 million last year.
NordLayer reported that 68% of data breaches last year involved human errors, citing Verizon’s latest Data Breach Investigations report.
A lot of data breaches are preventable, and it starts with access and data storage practices.
Get the news in your inbox. Explore Blockworks newsletters:
- The Breakdown: Decoding crypto and the markets. Daily.
- Empire: Crypto news and analysis to start your day.
- Forward Guidance: The intersection of crypto, macro and policy.
- 0xResearch: Alpha directly in your inbox.
- Lightspeed: All things Solana.
- The Drop: Apps, games, memes and more.
- Supply Shock: Bitcoin, bitcoin, bitcoin.
