Coinbase Confirms Insider Breach Impacting 30 Customers in December Incident Coinbase has disclosed an insider breach involving a contractor who improperly accessed the personal data of approximately 30 customers in December. The company confirmed the incident after threat actors known as Shiny Lapsus Hunters (SLH) briefly posted screenshots of an internal support interface on Telegram, revealing customer details such as names, email addresses, phone numbers, KYC information, wallet balances, and transaction histories. The contractor, who no longer works with Coinbase, was detected by the company’s security team last year. Affected users were notified and provided with identity theft protection services, while regulators were informed as part of standard protocol. This breach is unrelated to a separate January 2025 incident involving TaskUs, an outsourcing firm that provides support services to Coinbase. The screenshots shared by SLH suggest the group may have obtained the data through an insider or by circulating stolen information among threat actors. SLH has previously claimed to have bribed insiders at other firms, including CrowdStrike, to gain access to internal systems. Rising Threats to Business Process Outsourcing (BPO) Firms The incident highlights a growing trend of threat actors targeting BPO companies third-party firms handling customer support, IT services, and account management for organizations. Since BPO employees often have access to sensitive systems and data, they have become prime targets for attacks. Common tactics include: - Bribing insiders to steal or share customer information, as seen in the Coinbase and TaskUs breaches. - Social engineering support staff to gain unauthorized access, such as the Clorox breach, where attackers impersonated an employee to compromise a Cognizant help desk agent, leading to a $380 million lawsuit. - Compromising BPO employee accounts to access customer data, as in Discord’s October breach, where a support agent’s account at an outsourced provider was used to extract data from 5.5 million users. Recent attacks on retailers like Marks & Spencer and Co-op have also involved social engineering against support personnel, prompting the U.K. government to issue guidance on mitigating such threats. The shift toward targeting BPOs reflects a broader strategy by threat actors to exploit third-party access rather than directly breaching corporate networks.

The breach involved a coordinated criminal bribery scheme within TaskUs’s India operations, where employees were allegedly bribed to photograph and leak sensitive Coinbase customer account data to external criminals. The conspiracy expanded beyond front-line staff, leading to the dismissal of around 300 employees in January 2025. TaskUs reportedly concealed the breach’s scope, silenced whistleblowers, and fired HR personnel investigating the incident. Despite internal awareness, the company denied any material breach in regulatory filings (including a February 2025 Form 10-K) and proceeded with a $1.6 billion buyout by Blackstone before Coinbase publicly disclosed the incident in May. The breach originated in late 2024, affecting less than 1% of Coinbase’s monthly transacting users, with estimated losses reaching $400 million. Coinbase reimbursed victims, severed ties with TaskUs, and offered a $20 million reward for information leading to arrests, refusing to pay ransom demands.