What to know:
- Coinbase said it will reimburse impacted users with up to $400 million following last week's data breach.
- Security experts say the breach could have been prevented by imposing stricter background checks on staff and warning systems.
- The breach draws comparisons to the Ledger incident in 2021, which led to a surge in real-world robberies.
Last week's highly organized breach of cryptocurrency exchange Coinbase (COIN) left behind more questions than answers.
While some hailed Coinbase's response as a "really great example" in dealing with a crisis, the breach has now caused a potentially massive privacy issue that mirrors the Ledger data breach in 2021 — which led to a spate of real-world robberies as criminals were able to get a hold of names and addresses of crypto holders. Coinbase has already acknowledged that its customers may have lost close to half a billion U.S. dollars as a result of its breach.
Cybercriminals accessed Coinbase user data by bribing and convincing Coinbase support employees to share that data, but this was entirely preventable, according to numerous experts that spoke to CoinDesk.
“A failsafe system would make stealing data technically impossible, but Coinbase clearly didn't prioritize these measures, leaving the door wide open,” Andy Zhou, co-founder of blockchain security firm BlockSec told CoinDesk.
Allowing these criminals to access personal data, whether through a hack or, in this case, social engineering, is a major blight on an exchange that facilitates billions of dollars worth of volume every day. The breach created a myriad of issues, including user privacy and trust. How could Coinbase, a publicly traded company, allow attackers to steal personal information and money through the front door? And could it have been prevented?
Hackett Communications CEO Heather Dale hailed Coinbase’s response as a “masterclass in communication,” but Coinbase’s method of tackling the issues was simple: throw as much money at it as possible.
The exchange offered a $20 million bug bounty for anyone who reported information that would lead to an arrest or prosecution. It also committed to voluntarily reimbursing impacted users with between $180 million to $400 million.
What happened?
Before analyzing the fallout of the breach, it’s important to understand how exactly the breach occurred at a publicly traded company that spends millions of dollars per month on security infrastructure.
In February, on-chain sleuth ZachXBT reported a rise in thefts involving Coinbase users. He said that it was “a result of aggressive risk models and Coinbase’s failure to stop its users losing $300 [million] per year to social engineering scams.”
