I have been receiving regular spear phishing calls from these guys, or someone who bought the leaked data, with classic tactics like claiming that I need to confirm a potentially fraudulent transaction. They speak perfect English with an American accent, sound very friendly, and have knowledge of your account balance. Thankfully on the first call I realized it was a scam right away, and Google's call screening feature takes good care of the rest. Wish I could forward them to Kitboga[1].
I guess they didn't have as much luck as they wanted scamming Coinbase's customers, and once they had their fun they decided to try extorting Coinbase themselves.
If you had any significant assets on Coinbase at any time prior to this breach, spear phishing is the least of your worries.
Coinbase not only leaked your full name and address, they also gave up your balances, your transaction history, and images of your government identification.
People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom.
"Significant" in this case can be $10k or less.
Until now, your best defense secrecy. Never talk about crypto in public in any way that could be traced to your real-world identity.
Thanks to Coinbase that defense is now gone.
The bad guys can see who has ever had a significant balance on Coinbase (even if they don't right now), whether that balance was sold for cash and how much, or if you've ever transferred tokens off the exchange to a self-custody wallet.
Now the bad guys know who's worth kidnapping for ransom and where you live. For most people, a Google search of your name and home address turns up the names of family members who would would also be lucrative targets for kidnapping and threats of violence.
Coinbase will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company.
But hey, at least by being forced to give crypto exchanges all our personal details we're all super protected from the four horsemen: money laundering, drugs, terrorism and pornography.
> People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom. "Significant" in this case can be $10k or less.
I wonder why, select a person completely at random and by median you'll get just as much from what they have sitting in their checking account. Select a nicer area for an order of magnitude more. That's not encouragement to go assault people in their homes or kidnap families... just confusion.
Companies should seriously consider implementing GDPR even in the US, it certainly made taking data dumps of customer data a lot harder and certainly private images like Government IDs were encrypted on disk. I’m surprised at the lack of security if I’m honest, at Yahoo! almost nobody had access to prod user data.
Essentially you cannot trust Coinbase IMO, might move the few hundred dollars of BTC out of there :-)
Why do you see this as the fault of Coinbase? Do other companies somehow have employees that are immune to bribes and blackmail?
This is due to US Government KYC laws that forced Coinbase to associate government identification with all accounts. No crypto company required ID until they were forced to.
It’s my biggest gripe. They can pretty accurately flag a number as Spam or Telemarketing but in the “Silence Unknown Callers” setting I can only silence every single unknown caller. I can’t silence every single number that’s not in my contacts. When the plumber calls to confirm he’s in route, my phone needs to ring. Stuff like that.
Yeup, I finally broke down went from Android -> IPhone 16 Pro. I like a lot about Apple's personal security policies for their consumers vs Google, but damn, I miss google's automatic call spam detection and management. All day long my Apple phone rings, and I just have to ignore the calls.
Verizon (and I assume many other US carriers) offer junk call identification which your iPhone can block if you have ”Silence Junk Callers” toggled in Settings > Phone > Call Blocking & Identification.
Unfortunately blocking all unknown calls is the only way to sanity. Otherwise we're talking 6-9 calls coming in ALL DAY, EVERY DAY.
The calls are coming from new numbers, across multiple area codes. A few months ago I would have advised using Begone (https://apps.apple.com/us/app/begone-spam-call-blocker/id159...) to block but that only worked since these calls were isolated to blocks of area codes that were pretty safe to block like 888-XXX-XXXX, but now ZERO of these calls are using a fixed area code that would be relative safe to block.
iPhone user here. I put on airplane mode unless I'm making or expecting a call. Otherwise, I make it clear that email is my primary form of communication.
Oh yeah I get the Microsoft account emails, and Instagram ones, randomly (I have an account but never use it). I'm pretty sure SMS 2FA is turned off on my Coinbase account, which is highly recommended.
> I have been receiving regular spear phishing calls from these guys, or someone who bought the leaked data, with classic tactics like claiming that I need to confirm a potentially fraudulent transaction.
And how long has this been at an increased level? Because i'm not buying the coinbase narrative that they thought this was a systemic issue until they were contacted by the 'cybercriminals'.
It started around the beginning of April, at the same time as I got an initial email from them about my account information being accessed. Which I'm thinking is probably the same breach as they're talking about here.
Scams have gotten better since AI. Most of the common spelling mistakes are gone.
I was looking through some phishing e-mails the other day out of curiosity and found a weird unicode character mistranslated. Immediately knew it was an artifact of bad translation. So they're not perfect, but they're damn good.
Where was the number from? I received an impressive number of phonecalls attempt but thankfully I never answer to unknown numbers. With google call screen they hung up everytime so I assume its a scam.
The problem is that it seems like the data that leaked is also the data that would be used to do account recovery.
And what that means is that
1) If you lose access to your account (through either your own fault, or coinbases fault) that the process of recovering it may not be so straightforward anymore.
2) Hackers can try to “recover” accounts now using this leaked info.
This is a huge problem. What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)
The only solution here is: hardware 2 factor like yubikeys.
One that I'm using does, but I find it extremely annoying when they have me go to a branch to unblock my account that they locked due to a poorly calibrated risk system (that they need due to not supporting actually secure 2FA methods).
Coinbase is identical to a bank because it holds customer funds. Your comment isn't quite the dunk you think it is. Blockchains allow money to be held anonymously without any banks involved. Centralized exchanges are just profiting on speculation and probably should be banned.
> What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)
Watching crypto enthusiasts run into every problem that society already tackled with in the past when developing currency and its controls, and then coming up with solutions that look exactly the same as what dirty fiat currency uses, has been a source of much entertainment the past few years
If you ever sent money to or from a wallet you control, I'd think a reliable recovery factor would be to use that key to sign a message that Coinbase can verify with the address in their records. Cryptocurrency after all is just another PKI.
And dumb-dumb me just realized how trivial that would be to break. Social engineer someone into sending/receiving money to/from your wallet then pretend to be them requesting an account recovery.
Coinbase would have to make you sign a challenge ahead of time that would mark the wallet as the authorized public key for your account.
> What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted
People getting locked out of their account (which can happen due to no fault of the user, e.g. by an overly nervous risk system) will be really happy to have to potentially travel to a different city to regain account access...
Fine, make it optional. I actually would love a version of cold storage that is: never release this money unless I personally travel to an office if NYC and authorize it.
> What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted
I tried to reach out to coinbase customer support to see if I was impacted. Once I wasted my time with the AI bot and got a human they were unaware of the breach. I was the first person to inform them about it.
Not sure what to say about that, I had an account with them, but I couldn't verify it, had email, phone and could be some sort of ID scanned - don't remember. Haven't used the account ever since and had nothing there, since January I have been getting regularly calls about my account being "compromised". This leak probably happened way earlier, because there was no way someone knew I had an account there and knew exactly the email I had with them.
I don't believe they did, and I also believe they have known about this issue for a long time, and they should have been required to disclose their mandatory 8k a lot earlier.
And the reason Coinbase has to keep all that sensitive stuff, much more than what would be required to identify and authenticate you, which you hope will never be stolen, is because of know your customer laws, so you can thank your government that pictures of your passport got stolen and for whatever criminals and rogue Coinbase employees do with that info.
There are very good reasons for KYC, the problem here is not the government regulation, it's once again private companies being sloppy with their customer's data because sloppy is cheap and it's not their info on the line, it's yours, so there's little motivation for them to safeguard it _unless_ they're compelled to do it by law.
The people who designed a government regulation to deputize private companies couldn't possibly have known how sloppy private companies are with other people's data?
They could have designed KYC to minimize long-term storage requirements etc at some cost to what they could enforce, but a government like the US is inherently sloppy with the rights that are reserved for parties besides itself.
> And the reason Coinbase has to keep all that sensitive stuff, much more than what would be required to identify and authenticate you, which you hope will never be stolen, is because of know your customer laws
Real cop out here, be honest. Why should every single agent have access to your identity documentation (which is only required for KYC) in perpetuity?
Coinbase seems to be going to great lengths to try and distance themselves from the so-called "rogue overseas support agents".
If they were Coinbase employees or contractors, that means the company basically sold its own data to hackers, who then turned around and demanded a ransom.
Reimbursing duped customers makes sense, as it seems like they would have a pretty straightforward case to make in court that Coinbase's actions led to their loss.
I'm more curious if someone who feels the need to move, change banks, change their email, hire a security detail etc. could successfully sue the company to recover some or all of those costs.
>If they were Coinbase employees or contractors, that means the company basically sold its own data to hackers, who then turned around and demanded a ransom.
This seems like a strange interpretation. If an employee at your company, against policy and likely illegally extracts proprietary data and gives it to hackers in exchange for money you can hardly say that "My company sold it's data".
I agree it wasn't authorized, but I should absolutely still be able to hold the company responsible for the damage. My business relationship is with you, not your employees or vendors.
They in turn could go after the perpetrator. If they're using contractors who are cheap, unvetted, untrustworthy or don't carry liability insurance that's their problem and shouldn't excuse them of accountability.
In a way you can. A company is its employees. If you want employees with integrity you might need to pay better than bottom dollar employees from the cheapest countries possible.
I once applied for a bank position, and they wanted to run a credit check. If you're in a position of handling money, the company has a responsibility to vet its employees. Do I agree with credit checks? Absolutely not, but the point is, Coinbase is partially responsible and that's why they're refunding duped customers.
How far that responsibility goes is up for debate.
> This seems like a strange interpretation. If an employee at your company, against policy and likely illegally extracts proprietary data and gives it to hackers in exchange for money you can hardly say that "My company sold it's data".
When an employee ships a new feature, do you say "My company shipped a new feature?"
> We will reimburse customers who were tricked into sending funds to the attacker due to social engineering attacks. If your data was accessed, you have already received an email from no-reply@info.coinbase.com; all notifications went out at 7:20 a.m. ET on 5/15 to affected customers.
The no-reply is an interesting decision. I get how difficult it is to run a company like Coinbase (their biggest strength, centralized + customer support, is also what enables this social engineering), but feels like an odd choice.
no-reply is a good practice. No business should ever encourage their customers to reply to the emails they are sending out. That's what scammers do.
To contact the company you should go to company website at the address you know (which shouldn't be given in email as well), log in and send a message through internal message system, possibly referring to the email that you recieved through a random code (those can be auto-suggested if they recently tried to contact you by email).
If you do anything else your communication knwowingly mimics communication of a scammer.
Unrequested email should always only be one way communication. Email is too untrustworthy for it to be anything more.
Their "customer support" includes not expecting users to set up PGP to communicate with them. Email is not a secure method of communication by default.
It's fine to send a notification instructing them to visit the secure portal for more info, though. Hence, no-reply.
> No passwords, private keys, or funds were exposed and Coinbase Prime accounts are untouched.
I'm curious why no Coinbase Prime accounts were part of the leak (assuming that's what they mean). Is there some sort of additional layer of data protection behind the Coinbase Prime paywall? Or perhaps those accounts were intentionally avoided as they would presumably belong to more savvy users.
Coinbase Prime is its own exchange with its own support (actual humans in the USA that are available to chat to). It's for "institutional investors" so unavailable to most customers without the proper credentials/paperwork. They don't share the same outsourced "support" as the regular exchange, which appears to be the attack vector here.
> The threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States to collect information from internal Coinbase systems to which they had access in order to perform their job responsibilities
Based on the information present in the breach, I think it's likely that the source was their customer support in the Philippines. Monthly salary is usually < 1000$/month (entry-level probably even less than 500$) and a 5000$ bribe could be more than a year worth of money, tax-free. Considering the money you can make with that dataset now, this is just a small investment.
>
•Name, address, phone, and email;
•Masked Social Security (last 4 digits only);
•Masked bank-account numbers and some bank account identifiers;
•Government‑ID images (e.g., driver’s license, passport);
•Account data (balance snapshots and transaction history); and
•Limited corporate data (including documents, training material, and communications available to support agents).
This is every threat actor's dream. Even if you only had email addresses and account balances, this is a nightmare. Instead of blackmailing the company, you can now blackmail each individual user. "Send me 50% of your BTC and I won't publish all of your information on the internet".
My guess is that we will have a similar situation like we had with the Vastaamo data breach...
Blackmail would be the least of my worries, in France we had at least five kidnappings/attempted kidnappings related to crypto investors since the beginning of the year.
This may seem callous, but isn't a large point of crypto that you are 'free' from the shackles imposed by the State?
And I guess that includes protection from criminals by the oppressive forces of the State (aka the police). In which case being kidnapped and having your fingers sent to your family is an integral part of your 'freedom'.
It way worse. The US companies, pay $3-$6 per hour to outsource their support to the Philippines. The companies which provide the service have very high turnover rate. For some companies the employees stay on average about 6 months. There is absolutely no reason to be loyal.
We are getting zero government regulations on AI, no punishment data breaches, and no human protections against wide scale abuse. The opposite is happening.
I suspect to see America in chaos from these disruptions in the very near future.
Beyond the Philippines low wage, the point is that there is a price for "everybody" if it were in the US it will be a much higher price, and most probably paying for higher attack benefits.
Whatever you think of Coinbase, this is a pretty good response IMO:
> and will not pay the $20 million ransom demand we received. Instead we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible
No it isn’t! The headline they used is “Protecting Our Customers - Standing Up to Extortionists.” My issue with it is that they word their announcement in a way that leads people to congratulate them instead of saying we’re sorry for leaking your private information. I’m so angry at them over this.
Additionally the email they sent me had the subject “important notice” and that my personal account was affected as the third sentence in a rather wordy paragraph. None of this is ok and this is not a company taking this seriously.
I love it. This also would have been a great opportunity to break out of corporate speak for a moment for a good “Up yours hacker assholes!” Even us folks in the Bible Belt appreciate a well timed swear word here and there.
I’d say the better thing for customers would be to pay the ransom demand and get the PII back. If they want to fund a reward scheme too, well great, but if it were my data, I’d care more about Coinbase limiting the breach of the data, not playing around with retaliatory rewards.
There is no guarantee that an anonymous criminal is going to hold up their end of the agreement. Coinbase has no idea who they're negotiating with or where that data has been shared.
That, and they're reimbursing customers who were tricked.
It's really unfortunate that KYC regulations required Coinbase to have this information in the first place. We should be establishing strong social norms against sharing PII without a legitimate reason; this is not just an individual theft risk but a national security risk. Coinbase doesn't pay into your Social Security account, so they shouldn't have your Social Security number. They don't visit your house, so they shouldn't have your address. Etc.
Historically, although KYC regulations were widespread in Communist countries, they were unthinkable in most democratic countries until 9/11, which provided spy agencies with their golden chance to write their wishlist into law. But unfortunately that helps foreign spy agencies just as much as, maybe more than, it helps domestic ones.
You seem to believe that AML/KYC regulation exists to benefit customers or to prevent or recover from account compromises. It does not, and I have no idea why you would think it does. Something like a Yubikey or iris-scanning stations could help to prevent Coinbase account compromises, but AML/KYC regulations do not require or even encourage them, though perhaps someday they will.
> Instead we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible for this attack.
I’m not usually a huge fan of crypto folks, but I applaud this.
I hope they are serious about paying the reward, and aren’t planning to rug-pull it.
It might not be a bad idea for the various crypto exchanges to pool their resources into a non-denominational security organization. It could offer hardening services, and some kind of accreditation.
It would also make many Ponzi schemes easier to spot, as they wouldn’t want to contribute.
But do they consider it a CS risk or a business-wide risk? Is there any role at CoinBase that isn’t susceptible to insider risk? I would argue they would treat it as a security department / business risk issue and not a CS-only issue.
Onshoring CS and paying some more for that role may result in a net change of 0 risk (eg. The same possibility of a breach over the same time interval).
Would a lower class (for that region) Alabama man have less the susceptibility to insider risk as a middle class (for that region) Philippino man?
Most likely, the company will focus on better segmentation and better adherence to least permissions for all roles.
Also, your logic is clouded by the fact that you know it happened. In all aspects of security/cybersecurity, risk is incredibly difficult to calculate because you have to accurately know how much a counterfactual would cost in order to accurately choose one option over the other.
The global trend is racing to the bottom, so even if they could, every business consultant or MBA would push them to rather put more AI agents instead. Because that's all what matters (to them). Did anybody learn anything out of this? Of course not.
A few days ago I missed a delivery from UPS (in the UK). The next day I got a text from an unrecognised cell phone that just said “Hello” and didn’t respond further. The day after that I got a scam call (another UK cell number) from someone trying to hack into my Amazon account. They wanted me to supply the OTP code that Amazon texts you for 2FA. Anyway I eventually tracked down my package (it was at a convenience store awaiting pick up), and lo and behold they had printed my phone number along with name/address on the package. I suspect someone harvested that and passed it to the scammers (not necessarily a UPS employee, could be the drop off locations they contract with). I suppose I’ll report it to the police in the slim hope that it will help them catch the scammers.
Not sure how you relate your UPS delivery with the scam call? Just because it happened the following day you expected a delivery? I could be just a coincidence.
I'm sure scammer's got get your phone number from many other sources and data breaches.
It could have been a coincidence, but I don’t receive deliveries often, and I don’t get scam calls often, so the timing and circumstances make it highly suspicious.
Why did those employees have access to such sensitive data? We could argue about the legal requirement to submit this data in general, but I really don't understand why (most of) this data isn't stored in an encrypted way and only accessible by a few people in the company.
There should be an ISO standard with respect to how much power and information that front line customer support agents have. The more information you need, like changing passwords or accessing personal information, should get forwarded to higher level customer support agents with better training and more monitoring. This way you can design customer support experience with as little exposure to security issues as possible.
They main defense against internal attacks is bookkeeping. Banks have been dealing with this for thousands of years. I recommend the corresponding chapter in Security Engineering by Ross Anderson: https://www.cl.cam.ac.uk/archive/rja14/Papers/SEv3-ch12.pdf
The CS reps are based in a LCOL country so the opportunity for theft is simply incredibly lucrative.
What is really needed, is customer-in-the-loop for access to their data. The problem is, not all accesses would make sense. Doing analytics over the data of the top 1% of customers, for example, requires some level of access, but would freak out those customers if they had to approve it.
So this is probably why the phishing calls have increased from ~1 per month to ~3 per week.. good to know... Wish coinbase would let me DO something about it... Maybe fresh accounts for everyone? Maybe KYC data not directly linked to accounts? There should be SOMETHING they can do because the sheer volume of people constantly harassing CB customers is nuts.
> So this is probably why the phishing calls have increased from ~1 per month to ~3 per week.
Yes and their timeline doesn't add up with what they disclosed. If you take the Coinbase narrative, they only believed this was a 'material' issue once contacted by the hackers for a $20m demand, they weren't able to put the pieces together themselves.
The phishing has been elevated for weeks, especially via text message, and their lack of internal controls for access and monitoring are clearly severely lacking.
When i get those calls, i usually tell them “why dont i just save everyones time and just give you my bank account number, password and social security number? That sound good?”
I'm having de ja vu here. If they only found out when they attempted to extort them does it mean they don't even bother to log employee access? Is there any means for accountability at all internally?
It would be so simple to have access tracking and flag or lock out rogue employees... I look forward to seeing what the golden parachutes look like.
I built the admin panel used by internal employees and contractors at a major fintech payments processor (PCI Level 1). We had to add multiple levels of safety once we decided to hire a team outside of our US office including logging, monitoring and also rate-limiting (ask for manager to approve if more than 5 full details requests, etc.)
I think these requirements are much stringent due to PCI-DSS standards for credit card processors. I wonder if a lack of such standards in crypto makes the companies holding customer funds more lax.
Looking at their blog post, it seems like they paid customer support agents to hand over sensitive data. The attackers did not have access to any agent accounts themselves, and the customer service agents were accessing data they were already privileged to anyways.
The customer service agents were accessing data they were already privileged to anyways.
That's not how front line support agent access should work. You get access based on active cases you are working on, not the keys to the kingdom because you might need to support a member at some future point in time.
It makes me wonder what type of access support agents have in the first place. A lot of this information should require "unlocking" on a case-by-case basis by challenge/response while interacting with a customer.
Logging and retroactive auditing seems like the very least they should do. Even asking the customer service agent to first provide identifying details of the customer they can't easily know or guess by themselves doesn't seem excessive, given the sensitivity of the information.
It won't work for 100% of all calls (what if the customer is locked out themselves etc.), but those calls can then be handled by even more closely monitored agents.
"Less than 1% of monthly transacting customers" means up to 1% were accessed – that seems very high, i.e. much higher than the number of customer service contacts I'd expect.
The article says they sent an email, but I usually ignore emails from Coinbase. I hope there's going to be a better way to find out if your data was breached. I was locked out of my account before, and had to upload an ID. I thought they didn't store it... :o
Maybe it’s a naive question, but in many breach reports I see things like 'No passwords, private keys, or funds were exposed.' How come companies can usually protect that kind of data, but not emails, names, and other personal info?
Companies want the ability to use things like emails, names, and other data for user experiences (go to settings, see name and change it), advertising (target this address book for X ad), etc. So these are typically plaintext (oversimplified) and accessible by different systems while passwords or private keys have one use case only and can have a higher bar of protection.
A properly implemented login system will never store a password in the first place. Properly hashed passwords can still be cracked in some cases, but if your password is strong and the hash is good, it’s safe.
Such data is typically encrypted and purely write-only, only read by the system itself. Thus it is only exposed if the database itself is exposed. If the leak was compromise of the systems that access the data (which appears to be the case here--insiders copied data they could access) the write-only info is not exposed.
If you want to be alerted to new/updated SEC cybersecurity filings, you can subscribe to my free alerts [1] or see the full index of cybersecurity incidents [2] on my tracker (I check SEC EDGAR every 5 mins).
I’ve been getting scam texts from scammers who claimed my Coinbase account was compromised and to contact them. I wonder if this incident was the root cause
> recruited a group of rogue overseas support agents
Why not just say what country the are from and how they hired them to start with. It's presented as those sneaky "overseas" people that somehow got access to our systems. This company makes what, a few billions in revenue but they couldn't vet and hire the right people?
Given how little customer support agents in cheaper countries are paid, i'm surprised this type of serious attack has not happened sooner.
Corruption in these countries is extremely common. We're used to having a government that actually works in western countries. In these cheaper countries, bribes are routine and almost unavoidable.
Given the culture of corruption and how little the support agents are paid, it was only a matter of time before some bad actor tried to bribe them. Medical bills are expensive and need to be paid, making the agents highly vulnerable to this type of attack.
For many, the choice would be to accept the bribe, or let their sick child suffer from a treatable condition.
Now that a high profile attack has happened, expect copycat attacks from other bad actors.
As bad and annoying as this is, I do think “we won’t pay the ransom but set up a reward fund in the same amount to find the perps” is an interesting approach. It turns the tables such that any of the criminals or associates now are incentivized to turn on each other. I could see ways it wouldn’t work (they lie to get the reward, future scammers set up the scam with a patsy so they can collect reward), and am not sure it plays the same if there is actual exposed keys, etc.
Assuming they will have to inform the individuals who's data was actually breached/taken? Or is this basically the entire customer base? In which case that is VERY bad.
From the sounds of it, this is limited to US customers? Just going by the mention of social security number which does not exist in other countries like the UK.
The more alarming part for me is that, given the scale of the breach, there was clearly some way for this CS access to (a) query and download data from a database and (b) exfil that data in bulk. Where on earth were the controls?
> less than 1% of Coinbase monthly transacting users
Unclear if users whose data was stolen, but did NOT transact in the last month are included in this statistic. Feels like a very intentional phrasing on their part
I wonder what percentage of Coinbase's (but also any other company storing PII data) support is done by AI at this point, and whether they could focus on and invest much more heavily to make that as close as possible to 100%.
>On April 12, Coinbase updated their user agreement to take effect TODAY, May 15, with new language about waiving some rights to class action lawsuits and jurisdiction selection.
Also, "Coinbase had detected the breach independently in previous months", aren't they required to disclose this? In the EU they are: Every EU institution must do this within 72 hours of becoming aware of the breach, where feasible
What they got
- Name, address, phone, and email
- Masked Social Security (last 4 digits only)
- Masked bank‑account numbers and some bank account identifiers
- Government‑ID images (e.g., driver’s license, passport)
- Account data (balance snapshots and transaction history)
Wow. Why does customer support staff have access to images of the user's passports?
I also like 'last 4 digits only' as if that's not the most important parts and the part so many places use to validate your identity, the first 5 are just area and group so they're not exactly random.
Everyone's social security number is available. If you go download the leak referring to in this HN post [1], your SSN is certainly in it. Mine was, everyone in my family's was, almost all of my friends' were.
The world needs to stop pretending that SSNs are secret. They aren't.
Who else would verify the user passports if not the customer support staff? Who verifies (and photocopies! in Asia and Europe) your passport at a hotel or car rental office?
The attackers bribed customer service agents to hand over data and documents, they were not breached directly. It's possible this stuff may have been handed over before being destroyed.
Yes, but I do think an organization like Coinbase or a cell phone carrier - which are extreme targets of fraud - have an obligation to recognize that their employees are targets and implement greater security measures than most organizations. Maybe Coinbase should even pay higher wages and use onshore customer service agents.
You can take the Google approach of basically not empowering the agents at all. It's not worth trying to social engineer Google CS, because they can't do anything anyway.
Let me add to your statement. It is hard to keep call center workers bribe-proof WHEN they are paid peanuts AND they are working for a company that is in an extremely high risk business of managing crypto.
> Coinbase didn't adequately secure sensitive customer information, and it was leaked
Practically every company has someone with credentials who is in some combination of debt, a damningly-adulterous relationship, a damningly-illegal substance relationship and/or feels underappreciated or slighted compensationwise. The question is generally how much it costs.
Which is exactly why insider threats should be explored as a threat-model and mitigated to make the blast radius as small as possible via rate PII sanitization, access controls, access monitoring, rate limiting, etc.
The odds are already against their future viability after a breach like this and if they're fumbling the response this bad it really doesn't bode well for them.
They would have been better off not even bringing up their location if they weren't going to be transparent.
Bribes are one thing, but threats could also happen. This is a big part of the reason why I absolutely hate entities that think residential addresses should be public record.
This is a precedent to Coinbase employees getting physical threats at their door just because e.g. some voter registration, utility company, bank, credit card, or court record decided to release their name and addresses on the internet. People could show up at some Coinbase software engineers' apartment doors with guns demanding they send BTC to arbitrary addresses.
AFAICT it's impractical to keep residential addresses 100% private/secure - too many ways to get an address from any number of companies, organizations and governments that collect it for various reasons.
Plus numerous ways to infer your address from other data sources, including apps that grab GPS on friends' cellphones when they visit, etc.
Finally, shutting down paid data brokers seems virtually impossible in practice, which means anybody googling you can pay $20 and get everything.
Remember, the issue isn't lazy goodguys but even slightly motivated badguys, who then use third party scripts to do the data collection.
CS can validate without knowing the details, the same way you don't enter a password and then check to see if that matches the password in the system.
The fact that they keep blaming overseas customer support is pure blame shifting - you still hired someone and gave them access to all this data, Coinbase!
Isn't the whole point of crypto to keep PII out of it completely? If not, what is all this non-sense for exactly, other than the typical goals of pyramid schemes?
> The threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States
yea that is what they get. Hope this hurts them bad.
At my last job for a "casual dating" app, all new account verification stuff was sent to some shop in the Philippines. I got involved with troubleshooting some random DB locks that were causing down time. Ended up discovering that this firm tried to automate the verification process with some scripts or something that would sometimes go haywire and send over 100 requests per second to the new account admin portal which would bring down the entire site. Management just asked them nicely to be more careful which brought the peaks down to 80 requests per second which the back end seemed to be able to cope with (just barely). They couldn't careless that there were supposed to be humans looking at this data and they were clearly trying to automate that part out. Even worse, once I started looking at the data that was in the portal, it was credit card name and billing addresses, and DL license or passport scans. Before I could really further fix the performance issue, I was laid off. Then a few months later they did another lay off which cleaned out every american employee. This was an american company that had ~150 american employees and now there are none. Just two execs at the top that get to watch the money roll in while they farm out everything to overseas. Really pisses me off bad >:(
It will happen (at least attempted) with on-shore support staff too, My next door neighbour used to work for a UK high street bank and even there support staff were approached, with some of them first befriended, and eventually bribed in to passing along PII. No doubt it happens in the US too. Just costs the bad guys more.
We are emailing you about an important upcoming update to the Coinbase User Agreement. This update will revise our Arbitration Agreement with you. We made these updates to streamline the process for resolving disputes.
You can read the entire agreement here. The revised terms are in sections 9.9, 9.10 and Appendix 6.
These terms apply only to disputes that you or we initiate after May 15, 2025. The current terms will continue to apply until May 15.
---
What date did this news come out? I see it just happens to be the same date as mentioned in this email, May 15. Coinbase sneakily is trying to prevent their customers from exercising their legal rights. If you work for Coinbase, you ought to be ashamed and quit. If you use Coinbase, remove all your assets immediately.
I'm open to hearing reasons why this is just a coincidence or I'm misinterpreting the situation. Please, go ahead.
> The company said the hacker stole customer names, postal and email addresses, phone numbers, and the last four-digits of users’ Social Security numbers. The hacker also took masked bank account numbers and some banking identifiers, as well as customers’ government-issued identity documents, such as driver’s licenses and passports. The stolen data also includes account balance data and transaction histories.
I mean... wasn't coinbase sort of scammy to begin with? Several years ago I gave them some USD, turned it into BTC, saw the value of the BTC go up, but when I tried to cash out was told that wasn't a thing that was supported by their platform. Later I was told I could apply for a $399/year credit card and could partially pay off the balance with BTC sale proceeds. I'm sure this was all disclosed somewhere in the terms of service I clicked through, and I only lost $1000 to their scheme.
But I've always wondered why people think this is how investment vehicles work. I monkeyed around with stock market bets and even Robin Hood allows you to cash out of your positions.
I dunno why you had problems, but I've been using Coinbase with no problems at all for years. It's linked to my bank account, so if I want to pay for something with bitcoin, I can easily buy and send bitcoin with just a few clicks. I don't invest or speculate in bitcoin, so I only maintain a small account balance. And selling bitcoin and transferring the proceeds to my bank account has been just as easy and trouble-free.
It's more likely you didn't "lose" $1k, but that you had "missed profits". And if you missed the profits because you didn't verify yourself earlier for withdrawal, then that's on you.
Coinbase supported direct bank withdrawals well before they launched their crypto debit cards.
Roll out an update that defeats the end to end encryption in some subtle way that wouldn't go noticed for a few days. They'd be told when to do it for maximum effect, and if the window is small enough it might even go unnoticed for far longer when another uncompromised update overwrites it. They have no duty to report such things to relevant authorities even if it was discovered internally, so you could be looking at some corporate coverup that while not in on it, seeks to minimize liability/embarrassment.
Really, can you possibly tell if your Signal messages were compromised? Now that iPhones aren't really jailbreakable, you can't even see inside your own device.
Under specific conditions, the client can communicate with malware already on device, save data locally for other software to pick up, or downright stream the decrypted software to a third party.
Most likely is to introduce a flaw in the client that can be used by other walware on the client.
Direct link to SEC filing:
https://www.sec.gov/ix?doc=/Archives/edgar/data/0001679788/0...
I have been receiving regular spear phishing calls from these guys, or someone who bought the leaked data, with classic tactics like claiming that I need to confirm a potentially fraudulent transaction. They speak perfect English with an American accent, sound very friendly, and have knowledge of your account balance. Thankfully on the first call I realized it was a scam right away, and Google's call screening feature takes good care of the rest. Wish I could forward them to Kitboga[1].
I guess they didn't have as much luck as they wanted scamming Coinbase's customers, and once they had their fun they decided to try extorting Coinbase themselves.
[1] https://www.youtube.com/watch?v=HNziOoXDBeg
If you had any significant assets on Coinbase at any time prior to this breach, spear phishing is the least of your worries.
Coinbase not only leaked your full name and address, they also gave up your balances, your transaction history, and images of your government identification.
People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom.
"Significant" in this case can be $10k or less.
Until now, your best defense secrecy. Never talk about crypto in public in any way that could be traced to your real-world identity.
Thanks to Coinbase that defense is now gone.
The bad guys can see who has ever had a significant balance on Coinbase (even if they don't right now), whether that balance was sold for cash and how much, or if you've ever transferred tokens off the exchange to a self-custody wallet.
Now the bad guys know who's worth kidnapping for ransom and where you live. For most people, a Google search of your name and home address turns up the names of family members who would would also be lucrative targets for kidnapping and threats of violence.
Coinbase will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company.
Florida teens kidnap Las Vegas man, drive him to Arizona desert, steal $4M in cryptocurrency
https://www.yahoo.com/news/florida-teens-kidnap-las-vegas-20...
8 replies →
> will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company
This story keeps repeating. Maybe we should try it and see if it works as a deterrent.
4 replies →
Why is this such an issue with crypto?
Wealth status is often very well known for public figures and entrepreneurs. People are driving around in $200k cars.
Is it due to the liquidity of cryptocurrencies that $5 wrench attacks work better?
12 replies →
But hey, at least by being forced to give crypto exchanges all our personal details we're all super protected from the four horsemen: money laundering, drugs, terrorism and pornography.
4 replies →
> People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom. "Significant" in this case can be $10k or less.
I wonder why, select a person completely at random and by median you'll get just as much from what they have sitting in their checking account. Select a nicer area for an order of magnitude more. That's not encouragement to go assault people in their homes or kidnap families... just confusion.
12 replies →
Companies should seriously consider implementing GDPR even in the US, it certainly made taking data dumps of customer data a lot harder and certainly private images like Government IDs were encrypted on disk. I’m surprised at the lack of security if I’m honest, at Yahoo! almost nobody had access to prod user data.
Essentially you cannot trust Coinbase IMO, might move the few hundred dollars of BTC out of there :-)
6 replies →
They said less than 1% of users were affected.
2 replies →
How can I check if I am affected by this?
2 replies →
And yet, Coinbase goes Scott free
Someone, someone at that company should be going to prison for negligence
4 replies →
[dead]
"decentralized currency"
5 replies →
Why do you see this as the fault of Coinbase? Do other companies somehow have employees that are immune to bribes and blackmail?
This is due to US Government KYC laws that forced Coinbase to associate government identification with all accounts. No crypto company required ID until they were forced to.
9 replies →
I just switched to iPhone from a pixel device and I’m shook by all the spam calls. How do iPhone users deal with this?
It’s my biggest gripe. They can pretty accurately flag a number as Spam or Telemarketing but in the “Silence Unknown Callers” setting I can only silence every single unknown caller. I can’t silence every single number that’s not in my contacts. When the plumber calls to confirm he’s in route, my phone needs to ring. Stuff like that.
19 replies →
Also, on TMobile if you dial #662#, it'll block the Scam Likely calls at the carrier.
2 replies →
Yeup, I finally broke down went from Android -> IPhone 16 Pro. I like a lot about Apple's personal security policies for their consumers vs Google, but damn, I miss google's automatic call spam detection and management. All day long my Apple phone rings, and I just have to ignore the calls.
I don’t get any calls, seems to be an US problem?
3 replies →
Verizon (and I assume many other US carriers) offer junk call identification which your iPhone can block if you have ”Silence Junk Callers” toggled in Settings > Phone > Call Blocking & Identification.
https://support.apple.com/guide/iphone/block-or-avoid-unwant...
Unfortunately blocking all unknown calls is the only way to sanity. Otherwise we're talking 6-9 calls coming in ALL DAY, EVERY DAY.
The calls are coming from new numbers, across multiple area codes. A few months ago I would have advised using Begone (https://apps.apple.com/us/app/begone-spam-call-blocker/id159...) to block but that only worked since these calls were isolated to blocks of area codes that were pretty safe to block like 888-XXX-XXXX, but now ZERO of these calls are using a fixed area code that would be relative safe to block.
3 replies →
I have my phone set to silence Unknown callers. What did you have setup on the Pixel before to block them?
5 replies →
I never answer my phone, also turned off sound except alarms a couple years ago
2 replies →
Settings -> Phone -> Silence Unknown callers
I have the exact same experience. I felt like I went back to a phone from 2018.
You turn off the notifications from unknown callers? How does Android handle it?
1 reply →
Yeah you went the wrong way there brother.
If it’s says Rogers you know it’s a scam
iPhone user here. I put on airplane mode unless I'm making or expecting a call. Otherwise, I make it clear that email is my primary form of communication.
"Yeah yeah... installing your app now... oh there is an error... will try again..."
I started getting regular Coinbase login confirmation codes text messages with no attempts on my end
Same with my Microsoft account actually
I usually just ignore it but I assume someone is testing if my email can be used to login.
Oh yeah I get the Microsoft account emails, and Instagram ones, randomly (I have an account but never use it). I'm pretty sure SMS 2FA is turned off on my Coinbase account, which is highly recommended.
> I have been receiving regular spear phishing calls from these guys, or someone who bought the leaked data, with classic tactics like claiming that I need to confirm a potentially fraudulent transaction.
And how long has this been at an increased level? Because i'm not buying the coinbase narrative that they thought this was a systemic issue until they were contacted by the 'cybercriminals'.
It started around the beginning of April, at the same time as I got an initial email from them about my account information being accessed. Which I'm thinking is probably the same breach as they're talking about here.
Scams have gotten better since AI. Most of the common spelling mistakes are gone.
I was looking through some phishing e-mails the other day out of curiosity and found a weird unicode character mistranslated. Immediately knew it was an artifact of bad translation. So they're not perfect, but they're damn good.
The common spelling mistakes are there for a reason most of the time.
1 reply →
Where was the number from? I received an impressive number of phonecalls attempt but thankfully I never answer to unknown numbers. With google call screen they hung up everytime so I assume its a scam.
I got probably three or four in the past week.
I wonder if some of that perfect accent might be ML.
> They speak perfect English, sound very friendly, and have knowledge of your account balance.
.. and are former employees of Coinbase .. oh! just imagining!!
its a shame it'll never stop, and the criminal element is now a legal capitalism
The problem is that it seems like the data that leaked is also the data that would be used to do account recovery.
And what that means is that
1) If you lose access to your account (through either your own fault, or coinbases fault) that the process of recovering it may not be so straightforward anymore.
2) Hackers can try to “recover” accounts now using this leaked info.
This is a huge problem. What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)
The only solution here is: hardware 2 factor like yubikeys.
The Crypto industry continues their speedrun of rediscovering all of the reasons for why the global financial system exists.
What you've described is the same thing that many Crypto enthusiasts call a "Bank"
Many banks don't have physical branches.
One that I'm using does, but I find it extremely annoying when they have me go to a branch to unblock my account that they locked due to a poorly calibrated risk system (that they need due to not supporting actually secure 2FA methods).
except banks staff can easily be bribed too. There is plenty of bank fraud happening.
10 replies →
Coinbase is identical to a bank because it holds customer funds. Your comment isn't quite the dunk you think it is. Blockchains allow money to be held anonymously without any banks involved. Centralized exchanges are just profiting on speculation and probably should be banned.
12 replies →
> What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)
That's just a bank.
Watching crypto enthusiasts run into every problem that society already tackled with in the past when developing currency and its controls, and then coming up with solutions that look exactly the same as what dirty fiat currency uses, has been a source of much entertainment the past few years
34 replies →
Beyond the regulatory-dodge and crypto marketing explain to me how Coinbase is NOT a bank
5 replies →
Correct. Coinbase is a bank that holds cryptocurrency.
1 reply →
> The only solution here is: hardware 2 factor like yubikeys.
And when that’s lost, what do you do? Aren’t you back to account recovery step?
Then you send your iris scan to sama
If you ever sent money to or from a wallet you control, I'd think a reliable recovery factor would be to use that key to sign a message that Coinbase can verify with the address in their records. Cryptocurrency after all is just another PKI.
And dumb-dumb me just realized how trivial that would be to break. Social engineer someone into sending/receiving money to/from your wallet then pretend to be them requesting an account recovery.
Coinbase would have to make you sign a challenge ahead of time that would mark the wallet as the authorized public key for your account.
The the data that would be used to do account recovery is 99% either public record or already part of dozens of prior major data breaches.
> What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted
People getting locked out of their account (which can happen due to no fault of the user, e.g. by an overly nervous risk system) will be really happy to have to potentially travel to a different city to regain account access...
I would be very happy to do this.
Fine, make it optional. I actually would love a version of cold storage that is: never release this money unless I personally travel to an office if NYC and authorize it.
2 replies →
I'd imagine that anyone who's sophisticated enough to use a yubikey would just buy a hardware wallet and self custody.
> What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted
Is this satire?
I tried to reach out to coinbase customer support to see if I was impacted. Once I wasted my time with the AI bot and got a human they were unaware of the breach. I was the first person to inform them about it.
They emailed impacted accounts. Source: I was impacted
Not sure what to say about that, I had an account with them, but I couldn't verify it, had email, phone and could be some sort of ID scanned - don't remember. Haven't used the account ever since and had nothing there, since January I have been getting regularly calls about my account being "compromised". This leak probably happened way earlier, because there was no way someone knew I had an account there and knew exactly the email I had with them.
I don't believe they did, and I also believe they have known about this issue for a long time, and they should have been required to disclose their mandatory 8k a lot earlier.
Was this the general "Important Notice" email that went out this morning, or something more specific.
4 replies →
What was the title of the email? I got a generic looking email at 7AM EST this morning describing the breach.
You were read "Wow we didnt know about it, you are the first person talking about it to me" script line.
Maybe the actual first person got unlucky with a lazy customer support agent.
And the reason Coinbase has to keep all that sensitive stuff, much more than what would be required to identify and authenticate you, which you hope will never be stolen, is because of know your customer laws, so you can thank your government that pictures of your passport got stolen and for whatever criminals and rogue Coinbase employees do with that info.
There are very good reasons for KYC, the problem here is not the government regulation, it's once again private companies being sloppy with their customer's data because sloppy is cheap and it's not their info on the line, it's yours, so there's little motivation for them to safeguard it _unless_ they're compelled to do it by law.
The people who designed a government regulation to deputize private companies couldn't possibly have known how sloppy private companies are with other people's data?
They could have designed KYC to minimize long-term storage requirements etc at some cost to what they could enforce, but a government like the US is inherently sloppy with the rights that are reserved for parties besides itself.
1 reply →
This is costing Coinbase $400M. They are well incentivized to prevent this.
2 replies →
They're not just another free-to-use site where you're the product. Their reputation and viability are on the line.
For a site such as this the odds aren't in their favor anymore.
> And the reason Coinbase has to keep all that sensitive stuff, much more than what would be required to identify and authenticate you, which you hope will never be stolen, is because of know your customer laws
Real cop out here, be honest. Why should every single agent have access to your identity documentation (which is only required for KYC) in perpetuity?
[dead]
Coinbase seems to be going to great lengths to try and distance themselves from the so-called "rogue overseas support agents".
If they were Coinbase employees or contractors, that means the company basically sold its own data to hackers, who then turned around and demanded a ransom.
Reimbursing duped customers makes sense, as it seems like they would have a pretty straightforward case to make in court that Coinbase's actions led to their loss.
I'm more curious if someone who feels the need to move, change banks, change their email, hire a security detail etc. could successfully sue the company to recover some or all of those costs.
>If they were Coinbase employees or contractors, that means the company basically sold its own data to hackers, who then turned around and demanded a ransom.
This seems like a strange interpretation. If an employee at your company, against policy and likely illegally extracts proprietary data and gives it to hackers in exchange for money you can hardly say that "My company sold it's data".
I agree it wasn't authorized, but I should absolutely still be able to hold the company responsible for the damage. My business relationship is with you, not your employees or vendors.
They in turn could go after the perpetrator. If they're using contractors who are cheap, unvetted, untrustworthy or don't carry liability insurance that's their problem and shouldn't excuse them of accountability.
1 reply →
In a way you can. A company is its employees. If you want employees with integrity you might need to pay better than bottom dollar employees from the cheapest countries possible.
I once applied for a bank position, and they wanted to run a credit check. If you're in a position of handling money, the company has a responsibility to vet its employees. Do I agree with credit checks? Absolutely not, but the point is, Coinbase is partially responsible and that's why they're refunding duped customers.
How far that responsibility goes is up for debate.
> This seems like a strange interpretation. If an employee at your company, against policy and likely illegally extracts proprietary data and gives it to hackers in exchange for money you can hardly say that "My company sold it's data".
When an employee ships a new feature, do you say "My company shipped a new feature?"
3 replies →
Blog post is here:
https://www.coinbase.com/blog/protecting-our-customers-stand...
> We will reimburse customers who were tricked into sending funds to the attacker due to social engineering attacks. If your data was accessed, you have already received an email from no-reply@info.coinbase.com; all notifications went out at 7:20 a.m. ET on 5/15 to affected customers.
The no-reply is an interesting decision. I get how difficult it is to run a company like Coinbase (their biggest strength, centralized + customer support, is also what enables this social engineering), but feels like an odd choice.
no-reply is a good practice. No business should ever encourage their customers to reply to the emails they are sending out. That's what scammers do.
To contact the company you should go to company website at the address you know (which shouldn't be given in email as well), log in and send a message through internal message system, possibly referring to the email that you recieved through a random code (those can be auto-suggested if they recently tried to contact you by email).
If you do anything else your communication knwowingly mimics communication of a scammer.
Unrequested email should always only be one way communication. Email is too untrustworthy for it to be anything more.
2 replies →
Their "customer support" includes not expecting users to set up PGP to communicate with them. Email is not a secure method of communication by default.
It's fine to send a notification instructing them to visit the secure portal for more info, though. Hence, no-reply.
1 reply →
> No passwords, private keys, or funds were exposed and Coinbase Prime accounts are untouched.
I'm curious why no Coinbase Prime accounts were part of the leak (assuming that's what they mean). Is there some sort of additional layer of data protection behind the Coinbase Prime paywall? Or perhaps those accounts were intentionally avoided as they would presumably belong to more savvy users.
Coinbase Prime is its own exchange with its own support (actual humans in the USA that are available to chat to). It's for "institutional investors" so unavailable to most customers without the proper credentials/paperwork. They don't share the same outsourced "support" as the regular exchange, which appears to be the attack vector here.
> The threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States to collect information from internal Coinbase systems to which they had access in order to perform their job responsibilities
Based on the information present in the breach, I think it's likely that the source was their customer support in the Philippines. Monthly salary is usually < 1000$/month (entry-level probably even less than 500$) and a 5000$ bribe could be more than a year worth of money, tax-free. Considering the money you can make with that dataset now, this is just a small investment.
> •Name, address, phone, and email; •Masked Social Security (last 4 digits only); •Masked bank-account numbers and some bank account identifiers; •Government‑ID images (e.g., driver’s license, passport); •Account data (balance snapshots and transaction history); and •Limited corporate data (including documents, training material, and communications available to support agents).
This is every threat actor's dream. Even if you only had email addresses and account balances, this is a nightmare. Instead of blackmailing the company, you can now blackmail each individual user. "Send me 50% of your BTC and I won't publish all of your information on the internet". My guess is that we will have a similar situation like we had with the Vastaamo data breach...
https://en.wikipedia.org/wiki/Vastaamo_data_breach
> •Name, address, phone, and email;\
> blackmail each individual user
Blackmail would be the least of my worries, in France we had at least five kidnappings/attempted kidnappings related to crypto investors since the beginning of the year.
And more than one finger sent in the post.
Yes that's true but it's weird they only focus on crypto investors' families? There are many rich people in France, what's the deal with cryptobros?
10 replies →
This may seem callous, but isn't a large point of crypto that you are 'free' from the shackles imposed by the State?
And I guess that includes protection from criminals by the oppressive forces of the State (aka the police). In which case being kidnapped and having your fingers sent to your family is an integral part of your 'freedom'.
23 replies →
It way worse. The US companies, pay $3-$6 per hour to outsource their support to the Philippines. The companies which provide the service have very high turnover rate. For some companies the employees stay on average about 6 months. There is absolutely no reason to be loyal.
We are getting zero government regulations on AI, no punishment data breaches, and no human protections against wide scale abuse. The opposite is happening.
I suspect to see America in chaos from these disruptions in the very near future.
Beyond the Philippines low wage, the point is that there is a price for "everybody" if it were in the US it will be a much higher price, and most probably paying for higher attack benefits.
Whatever you think of Coinbase, this is a pretty good response IMO:
> and will not pay the $20 million ransom demand we received. Instead we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible
No it isn’t! The headline they used is “Protecting Our Customers - Standing Up to Extortionists.” My issue with it is that they word their announcement in a way that leads people to congratulate them instead of saying we’re sorry for leaking your private information. I’m so angry at them over this.
Additionally the email they sent me had the subject “important notice” and that my personal account was affected as the third sentence in a rather wordy paragraph. None of this is ok and this is not a company taking this seriously.
That's the same move from the Ransom movie from 1996 https://youtu.be/haThIxPnYro?si=Jxu0elA-ylB5Z15q
I love it. This also would have been a great opportunity to break out of corporate speak for a moment for a good “Up yours hacker assholes!” Even us folks in the Bible Belt appreciate a well timed swear word here and there.
I’d say the better thing for customers would be to pay the ransom demand and get the PII back. If they want to fund a reward scheme too, well great, but if it were my data, I’d care more about Coinbase limiting the breach of the data, not playing around with retaliatory rewards.
There is no guarantee that an anonymous criminal is going to hold up their end of the agreement. Coinbase has no idea who they're negotiating with or where that data has been shared.
That, and they're reimbursing customers who were tricked.
1 reply →
Limiting? The damage is already done.
It's really unfortunate that KYC regulations required Coinbase to have this information in the first place. We should be establishing strong social norms against sharing PII without a legitimate reason; this is not just an individual theft risk but a national security risk. Coinbase doesn't pay into your Social Security account, so they shouldn't have your Social Security number. They don't visit your house, so they shouldn't have your address. Etc.
Historically, although KYC regulations were widespread in Communist countries, they were unthinkable in most democratic countries until 9/11, which provided spy agencies with their golden chance to write their wishlist into law. But unfortunately that helps foreign spy agencies just as much as, maybe more than, it helps domestic ones.
In https://en.wikipedia.org/wiki/Know_your_customer#Laws_by_cou... you can see when they were introduced in different countries.
Let's hear you repeat this position after your Coinbase account is compromised and you're looking for recourse.
You seem to believe that AML/KYC regulation exists to benefit customers or to prevent or recover from account compromises. It does not, and I have no idea why you would think it does. Something like a Yubikey or iris-scanning stations could help to prevent Coinbase account compromises, but AML/KYC regulations do not require or even encourage them, though perhaps someday they will.
4 replies →
> Instead we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible for this attack.
I’m not usually a huge fan of crypto folks, but I applaud this.
I hope they are serious about paying the reward, and aren’t planning to rug-pull it.
I hope they are serious about paying the reward, and aren’t planning to rug-pull it.
They could always pay it in crypto.
It might not be a bad idea for the various crypto exchanges to pool their resources into a non-denominational security organization. It could offer hardening services, and some kind of accreditation.
It would also make many Ponzi schemes easier to spot, as they wouldn’t want to contribute.
1 reply →
> the Company has preliminarily estimated expenses to be within the range of approximately $180 million to $400 million relating to remediation costs
Hopefully companies take this as a lesson about bottom dollar outsourcing your CS.
For those amounts, they could afford to have hired regionally local support agents, and paid them well over industry standard...
But do they consider it a CS risk or a business-wide risk? Is there any role at CoinBase that isn’t susceptible to insider risk? I would argue they would treat it as a security department / business risk issue and not a CS-only issue.
Onshoring CS and paying some more for that role may result in a net change of 0 risk (eg. The same possibility of a breach over the same time interval).
Would a lower class (for that region) Alabama man have less the susceptibility to insider risk as a middle class (for that region) Philippino man?
Most likely, the company will focus on better segmentation and better adherence to least permissions for all roles.
Also, your logic is clouded by the fact that you know it happened. In all aspects of security/cybersecurity, risk is incredibly difficult to calculate because you have to accurately know how much a counterfactual would cost in order to accurately choose one option over the other.
>Would a lower class (for that region) Alabama man have less the susceptibility to insider risk as a middle class (for that region) Philippino man?
The american could be facing jail time, depending on the data. The Philippino man, not so much.
The global trend is racing to the bottom, so even if they could, every business consultant or MBA would push them to rather put more AI agents instead. Because that's all what matters (to them). Did anybody learn anything out of this? Of course not.
HA! Good one. They won't.
The costs will likely be covered by insurance, which is hilariously cheap and also covers events you could never feasibly prepare for.
A few days ago I missed a delivery from UPS (in the UK). The next day I got a text from an unrecognised cell phone that just said “Hello” and didn’t respond further. The day after that I got a scam call (another UK cell number) from someone trying to hack into my Amazon account. They wanted me to supply the OTP code that Amazon texts you for 2FA. Anyway I eventually tracked down my package (it was at a convenience store awaiting pick up), and lo and behold they had printed my phone number along with name/address on the package. I suspect someone harvested that and passed it to the scammers (not necessarily a UPS employee, could be the drop off locations they contract with). I suppose I’ll report it to the police in the slim hope that it will help them catch the scammers.
Not sure how you relate your UPS delivery with the scam call? Just because it happened the following day you expected a delivery? I could be just a coincidence.
I'm sure scammer's got get your phone number from many other sources and data breaches.
It could have been a coincidence, but I don’t receive deliveries often, and I don’t get scam calls often, so the timing and circumstances make it highly suspicious.
Why did those employees have access to such sensitive data? We could argue about the legal requirement to submit this data in general, but I really don't understand why (most of) this data isn't stored in an encrypted way and only accessible by a few people in the company.
Video response from Coinbase's CEO: https://x.com/brian_armstrong/status/1922967787309256807
[flagged]
I thought hackers always had the hood covering thier head!
1 reply →
There should be an ISO standard with respect to how much power and information that front line customer support agents have. The more information you need, like changing passwords or accessing personal information, should get forwarded to higher level customer support agents with better training and more monitoring. This way you can design customer support experience with as little exposure to security issues as possible.
They main defense against internal attacks is bookkeeping. Banks have been dealing with this for thousands of years. I recommend the corresponding chapter in Security Engineering by Ross Anderson: https://www.cl.cam.ac.uk/archive/rja14/Papers/SEv3-ch12.pdf
Bookkeeping will alert you to employees stealing your money. It won't alert you to employees selling information.
1 reply →
> better training and more monitoring.
That’s very load-bearing. It won’t help.
The CS reps are based in a LCOL country so the opportunity for theft is simply incredibly lucrative.
What is really needed, is customer-in-the-loop for access to their data. The problem is, not all accesses would make sense. Doing analytics over the data of the top 1% of customers, for example, requires some level of access, but would freak out those customers if they had to approve it.
If it would freak out the customers, maybe they shouldn’t be doing it.
1 reply →
Compartmentalization is a very expensive customer support model.
So are $20M ransoms and the reputational damage from data breaches.
So this is probably why the phishing calls have increased from ~1 per month to ~3 per week.. good to know... Wish coinbase would let me DO something about it... Maybe fresh accounts for everyone? Maybe KYC data not directly linked to accounts? There should be SOMETHING they can do because the sheer volume of people constantly harassing CB customers is nuts.
> So this is probably why the phishing calls have increased from ~1 per month to ~3 per week.
Yes and their timeline doesn't add up with what they disclosed. If you take the Coinbase narrative, they only believed this was a 'material' issue once contacted by the hackers for a $20m demand, they weren't able to put the pieces together themselves.
The phishing has been elevated for weeks, especially via text message, and their lack of internal controls for access and monitoring are clearly severely lacking.
When i get those calls, i usually tell them “why dont i just save everyones time and just give you my bank account number, password and social security number? That sound good?”
Forget relying on brokerages like COIN. If you care about the security of your digital assets, use a cold wallet or non-custodial account.
The comment you're replying to was complaining about scam calls, not about wallet security.
Using a hardware/"cold-ish" wallet does not protect you from scam calls: https://www.bleepingcomputer.com/news/security/physical-addr...
I'm having de ja vu here. If they only found out when they attempted to extort them does it mean they don't even bother to log employee access? Is there any means for accountability at all internally?
It would be so simple to have access tracking and flag or lock out rogue employees... I look forward to seeing what the golden parachutes look like.
I built the admin panel used by internal employees and contractors at a major fintech payments processor (PCI Level 1). We had to add multiple levels of safety once we decided to hire a team outside of our US office including logging, monitoring and also rate-limiting (ask for manager to approve if more than 5 full details requests, etc.) I think these requirements are much stringent due to PCI-DSS standards for credit card processors. I wonder if a lack of such standards in crypto makes the companies holding customer funds more lax.
Looking at their blog post, it seems like they paid customer support agents to hand over sensitive data. The attackers did not have access to any agent accounts themselves, and the customer service agents were accessing data they were already privileged to anyways.
https://www.coinbase.com/blog/protecting-our-customers-stand...
The customer service agents were accessing data they were already privileged to anyways.
That's not how front line support agent access should work. You get access based on active cases you are working on, not the keys to the kingdom because you might need to support a member at some future point in time.
It makes me wonder what type of access support agents have in the first place. A lot of this information should require "unlocking" on a case-by-case basis by challenge/response while interacting with a customer.
Logging and retroactive auditing seems like the very least they should do. Even asking the customer service agent to first provide identifying details of the customer they can't easily know or guess by themselves doesn't seem excessive, given the sensitivity of the information.
It won't work for 100% of all calls (what if the customer is locked out themselves etc.), but those calls can then be handled by even more closely monitored agents.
"Less than 1% of monthly transacting customers" means up to 1% were accessed – that seems very high, i.e. much higher than the number of customer service contacts I'd expect.
The article says they sent an email, but I usually ignore emails from Coinbase. I hope there's going to be a better way to find out if your data was breached. I was locked out of my account before, and had to upload an ID. I thought they didn't store it... :o
Maybe it’s a naive question, but in many breach reports I see things like 'No passwords, private keys, or funds were exposed.' How come companies can usually protect that kind of data, but not emails, names, and other personal info?
Companies want the ability to use things like emails, names, and other data for user experiences (go to settings, see name and change it), advertising (target this address book for X ad), etc. So these are typically plaintext (oversimplified) and accessible by different systems while passwords or private keys have one use case only and can have a higher bar of protection.
A properly implemented login system will never store a password in the first place. Properly hashed passwords can still be cracked in some cases, but if your password is strong and the hash is good, it’s safe.
Such data is typically encrypted and purely write-only, only read by the system itself. Thus it is only exposed if the database itself is exposed. If the leak was compromise of the systems that access the data (which appears to be the case here--insiders copied data they could access) the write-only info is not exposed.
It was some BI/analyst database that leaked?
If you want to be alerted to new/updated SEC cybersecurity filings, you can subscribe to my free alerts [1] or see the full index of cybersecurity incidents [2] on my tracker (I check SEC EDGAR every 5 mins).
[1] https://www.board-cybersecurity.com/alerts/
[2] https://www.board-cybersecurity.com/incidents/tracker/
I’ve been getting scam texts from scammers who claimed my Coinbase account was compromised and to contact them. I wonder if this incident was the root cause
> recruited a group of rogue overseas support agents
Why not just say what country the are from and how they hired them to start with. It's presented as those sneaky "overseas" people that somehow got access to our systems. This company makes what, a few billions in revenue but they couldn't vet and hire the right people?
Given how little customer support agents in cheaper countries are paid, i'm surprised this type of serious attack has not happened sooner.
Corruption in these countries is extremely common. We're used to having a government that actually works in western countries. In these cheaper countries, bribes are routine and almost unavoidable.
Given the culture of corruption and how little the support agents are paid, it was only a matter of time before some bad actor tried to bribe them. Medical bills are expensive and need to be paid, making the agents highly vulnerable to this type of attack.
For many, the choice would be to accept the bribe, or let their sick child suffer from a treatable condition.
Now that a high profile attack has happened, expect copycat attacks from other bad actors.
It's ironic this came [out] the day after COIN is going to be added to the SP500.
And also the same day as it was reported the SEC is investigating Coinbase over claims it overstated user numbers in past filings (https://www.thestreet.com/crypto/policy/sec-is-investigating...).
It's been a bad day.
As bad and annoying as this is, I do think “we won’t pay the ransom but set up a reward fund in the same amount to find the perps” is an interesting approach. It turns the tables such that any of the criminals or associates now are incentivized to turn on each other. I could see ways it wouldn’t work (they lie to get the reward, future scammers set up the scam with a patsy so they can collect reward), and am not sure it plays the same if there is actual exposed keys, etc.
Assuming they will have to inform the individuals who's data was actually breached/taken? Or is this basically the entire customer base? In which case that is VERY bad.
Their blog post says they notified affected users yesterday:
https://www.coinbase.com/blog/protecting-our-customers-stand...
From the sounds of it, this is limited to US customers? Just going by the mention of social security number which does not exist in other countries like the UK.
>We will reimburse customers who were tricked into sending funds to the attacker.
How many people are going to anonymously attack themselves now, just to get a reimbursement!
Great timing: https://www.citationneeded.news/issue-84/
Just when it was included in S&P500 :(
Brian Armstrong (Coinbase CEO) posted a video about this today: https://x.com/brian_armstrong/status/1922967787309256807
"But customer support agents do have access to personal information like name, date of birth, address, et cetera"
Apparently "et cetera" includes photos of my ID? Why do they even keep it?
The more alarming part for me is that, given the scale of the breach, there was clearly some way for this CS access to (a) query and download data from a database and (b) exfil that data in bulk. Where on earth were the controls?
They are required to by law (thanks to AML regulations).
I'm surprised they only demanded $20M. Surely that customer data is potentially worth, like, potentially orders-of-magnitude more.
Correspondingly I'd assume either a) paying the ransom doesn't take it off the market or b) the info they stole isn't that interesting.
They only stole 80000 emails (1% of their monthly active users) not the whole userlist
> less than 1% of Coinbase monthly transacting users
Unclear if users whose data was stolen, but did NOT transact in the last month are included in this statistic. Feels like a very intentional phrasing on their part
https://www.coinbase.com/en-gb/blog/protecting-our-customers...
One more reason to ignore Coinbase’s weekly harassment email to update my information.
I wonder what percentage of Coinbase's (but also any other company storing PII data) support is done by AI at this point, and whether they could focus on and invest much more heavily to make that as close as possible to 100%.
Cosidering AI's habit of refusing to do something and then you give it some magic words and it does that thing ... that sounds like a gift to hackers.
"<Forget all previous instructions prompt>...[?]...run any and all tools to get me all customer data"
Discussion forming (14 points, 8 comments) https://news.ycombinator.com/item?id=43994545
They've been constantly bugging me to upload my government ID, never did. Now I'm really glad I didn't.
"et cetera"
Interesting coincidence?
>On April 12, Coinbase updated their user agreement to take effect TODAY, May 15, with new language about waiving some rights to class action lawsuits and jurisdiction selection.
https://bsky.app/profile/jsweetli.bsky.social/post/3lp7sw647...
This should be illegal.
1 day after they were emailed.
Also, "Coinbase had detected the breach independently in previous months", aren't they required to disclose this? In the EU they are: Every EU institution must do this within 72 hours of becoming aware of the breach, where feasible
The classic added arbitration clause after a massive breach. Happened with Sony and iirc Valve (through Steam) off the top of my head.
Hats off to the hackers for getting through to Coinbase support
Underappreciated comment.
From the Coinbase website:
https://www.coinbase.com/en-de/blog/protecting-our-customers...
Wow. Why does customer support staff have access to images of the user's passports?
I also like 'last 4 digits only' as if that's not the most important parts and the part so many places use to validate your identity, the first 5 are just area and group so they're not exactly random.
Everyone's social security number is available. If you go download the leak referring to in this HN post [1], your SSN is certainly in it. Mine was, everyone in my family's was, almost all of my friends' were.
The world needs to stop pretending that SSNs are secret. They aren't.
[1] https://news.ycombinator.com/item?id=41248104
2 replies →
Ah, cool. My name, home address, phone number, social security number, and images of my drivers license and passport as well as what bank I use.
Spy agencies regulating financial institutions (really): https://news.ycombinator.com/item?id=43996848
Who else would verify the user passports if not the customer support staff? Who verifies (and photocopies! in Asia and Europe) your passport at a hotel or car rental office?
A separate KYC department that verifies identity then immediately deletes the images?
When was the last time your passport was copied in Europe?
I don't think that this is still legal under the GDPR.
4 replies →
Usually it's to assist people that upload the information incorrectly
I always thought that the government ID photos were claimed to be wiped out immediately after document verification. Guess not.
The attackers bribed customer service agents to hand over data and documents, they were not breached directly. It's possible this stuff may have been handed over before being destroyed.
The article keeps saying overseas employees or contractors, but isn't more specific on who Coinbase entrusted with this sensitive customer PII.
The bottom line is Coinbase didn't adequately secure sensitive customer information, and it was leaked.
Not, "Gosh, 'overseas' people, what can ya do?"
It's probably hard to keep call-center workers bribe-proof.
Yes, but I do think an organization like Coinbase or a cell phone carrier - which are extreme targets of fraud - have an obligation to recognize that their employees are targets and implement greater security measures than most organizations. Maybe Coinbase should even pay higher wages and use onshore customer service agents.
3 replies →
You can take the Google approach of basically not empowering the agents at all. It's not worth trying to social engineer Google CS, because they can't do anything anyway.
2 replies →
[flagged]
7 replies →
Call center workers who have access PII and financial abilities should probably be vetted a little bit better.
8 replies →
Let me add to your statement. It is hard to keep call center workers bribe-proof WHEN they are paid peanuts AND they are working for a company that is in an extremely high risk business of managing crypto.
5 replies →
Yes but you can not give them a SQL prompt. Rate limiting account queries per CSR is a common mitigation measure.
It’s not hard, it’s expensive.
It's hard to keep most people bribe proof.
Pretty sure all the Big Banks use call centers and manage to avoid this.
1 reply →
Question that needs to be answered if they were prosecuted. Losing your job but getting to keep the bribe just means it will still happen.
> Coinbase didn't adequately secure sensitive customer information, and it was leaked
Practically every company has someone with credentials who is in some combination of debt, a damningly-adulterous relationship, a damningly-illegal substance relationship and/or feels underappreciated or slighted compensationwise. The question is generally how much it costs.
Which is exactly why insider threats should be explored as a threat-model and mitigated to make the blast radius as small as possible via rate PII sanitization, access controls, access monitoring, rate limiting, etc.
1 reply →
The odds are already against their future viability after a breach like this and if they're fumbling the response this bad it really doesn't bode well for them.
They would have been better off not even bringing up their location if they weren't going to be transparent.
Bribes are one thing, but threats could also happen. This is a big part of the reason why I absolutely hate entities that think residential addresses should be public record.
This is a precedent to Coinbase employees getting physical threats at their door just because e.g. some voter registration, utility company, bank, credit card, or court record decided to release their name and addresses on the internet. People could show up at some Coinbase software engineers' apartment doors with guns demanding they send BTC to arbitrary addresses.
AFAICT it's impractical to keep residential addresses 100% private/secure - too many ways to get an address from any number of companies, organizations and governments that collect it for various reasons.
Plus numerous ways to infer your address from other data sources, including apps that grab GPS on friends' cellphones when they visit, etc.
Finally, shutting down paid data brokers seems virtually impossible in practice, which means anybody googling you can pay $20 and get everything.
Remember, the issue isn't lazy goodguys but even slightly motivated badguys, who then use third party scripts to do the data collection.
2 replies →
This is a feature of bitcoin not a bug.
If you sling code for cryptocurrency you and your loved ones are "in the game" now.
https://www.bbc.com/news/articles/c20qee5030do
They are probably used as scapegoats and didn't even leak the stuff. Crypto companies tend to do that.
You're probably wrong if you read more into this scenario.
How can customer support operate without knowing anything about the customer?
You know how your bank asks you to verify details when you call?
Without the right details the customer support people don’t get entry into the customers account details.
Banks have been doing this for 30+ years..
3 replies →
CS can validate without knowing the details, the same way you don't enter a password and then check to see if that matches the password in the system.
The fact that they keep blaming overseas customer support is pure blame shifting - you still hired someone and gave them access to all this data, Coinbase!
2 replies →
Isn't the whole point of crypto to keep PII out of it completely? If not, what is all this non-sense for exactly, other than the typical goals of pyramid schemes?
9 replies →
A shared or hashed secret would do it.
Plenty of exchanges don't know their customers, and in fact that is how they get their customers.
4 replies →
[flagged]
[flagged]
[flagged]
[flagged]
[dead]
Saved dimes on customer support, lost $400m.
It's hard to not believe in Karma sometimes.
> The threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States
yea that is what they get. Hope this hurts them bad.
At my last job for a "casual dating" app, all new account verification stuff was sent to some shop in the Philippines. I got involved with troubleshooting some random DB locks that were causing down time. Ended up discovering that this firm tried to automate the verification process with some scripts or something that would sometimes go haywire and send over 100 requests per second to the new account admin portal which would bring down the entire site. Management just asked them nicely to be more careful which brought the peaks down to 80 requests per second which the back end seemed to be able to cope with (just barely). They couldn't careless that there were supposed to be humans looking at this data and they were clearly trying to automate that part out. Even worse, once I started looking at the data that was in the portal, it was credit card name and billing addresses, and DL license or passport scans. Before I could really further fix the performance issue, I was laid off. Then a few months later they did another lay off which cleaned out every american employee. This was an american company that had ~150 american employees and now there are none. Just two execs at the top that get to watch the money roll in while they farm out everything to overseas. Really pisses me off bad >:(
It will happen (at least attempted) with on-shore support staff too, My next door neighbour used to work for a UK high street bank and even there support staff were approached, with some of them first befriended, and eventually bribed in to passing along PII. No doubt it happens in the US too. Just costs the bad guys more.
Keeping things onshore means the offenders could face jail time. Anything offshore just goes into a blackhole.
[dead]
A few weeks ago I got this email:
Update to the Coinbase User Agreement
We are emailing you about an important upcoming update to the Coinbase User Agreement. This update will revise our Arbitration Agreement with you. We made these updates to streamline the process for resolving disputes.
You can read the entire agreement here. The revised terms are in sections 9.9, 9.10 and Appendix 6.
These terms apply only to disputes that you or we initiate after May 15, 2025. The current terms will continue to apply until May 15.
---
What date did this news come out? I see it just happens to be the same date as mentioned in this email, May 15. Coinbase sneakily is trying to prevent their customers from exercising their legal rights. If you work for Coinbase, you ought to be ashamed and quit. If you use Coinbase, remove all your assets immediately.
I'm open to hearing reasons why this is just a coincidence or I'm misinterpreting the situation. Please, go ahead.
[dead]
[dead]
[dead]
Oops, I was wrong:
From https://techcrunch.com/2025/05/15/coinbase-says-customers-pe...
> The company said the hacker stole customer names, postal and email addresses, phone numbers, and the last four-digits of users’ Social Security numbers. The hacker also took masked bank account numbers and some banking identifiers, as well as customers’ government-issued identity documents, such as driver’s licenses and passports. The stolen data also includes account balance data and transaction histories.
[dead]
[dead]
[flagged]
Double down on KYC /s
[flagged]
[flagged]
[flagged]
[flagged]
> if you don't have sole control of your cryptocurrency keys then you don't own any cryptocurrency
Nobody has sole control of their cryptocurrency by definition. It's a consensus protocol. (On a practical level, there are always layers of trust.)
[flagged]
wait, coinbase has staff?
... and once the crypto is transferred. Poof, you're ducked.
... literally ducked. Crypto is a beautiful platform for money laundering. Why do you think Trump loves it so much?
I mean... wasn't coinbase sort of scammy to begin with? Several years ago I gave them some USD, turned it into BTC, saw the value of the BTC go up, but when I tried to cash out was told that wasn't a thing that was supported by their platform. Later I was told I could apply for a $399/year credit card and could partially pay off the balance with BTC sale proceeds. I'm sure this was all disclosed somewhere in the terms of service I clicked through, and I only lost $1000 to their scheme.
But I've always wondered why people think this is how investment vehicles work. I monkeyed around with stock market bets and even Robin Hood allows you to cash out of your positions.
Coinbase most certainly permits cashing out.
Are you sure you didn't fall for a scam version?
I dunno why you had problems, but I've been using Coinbase with no problems at all for years. It's linked to my bank account, so if I want to pay for something with bitcoin, I can easily buy and send bitcoin with just a few clicks. I don't invest or speculate in bitcoin, so I only maintain a small account balance. And selling bitcoin and transferring the proceeds to my bank account has been just as easy and trouble-free.
It's more likely you didn't "lose" $1k, but that you had "missed profits". And if you missed the profits because you didn't verify yourself earlier for withdrawal, then that's on you.
Coinbase supported direct bank withdrawals well before they launched their crypto debit cards.
Your profits are your profits. Coinbase can hold them until you verify yourself for withdrawals, but they can't just take them.
[flagged]
Employees at Signal must be getting bribes as well, or even threats of violence since they can get nation state Secret communications these days.
Got to make it so employees can’t do anything nefarious. This helps protect them.
How would employees of Signal access the encrypted messages?
Employees can't get access to encrypted messages.
But they can look the other way about flaws in their Electron client.
1 reply →
Roll out an update that defeats the end to end encryption in some subtle way that wouldn't go noticed for a few days. They'd be told when to do it for maximum effect, and if the window is small enough it might even go unnoticed for far longer when another uncompromised update overwrites it. They have no duty to report such things to relevant authorities even if it was discovered internally, so you could be looking at some corporate coverup that while not in on it, seeks to minimize liability/embarrassment.
Really, can you possibly tell if your Signal messages were compromised? Now that iPhones aren't really jailbreakable, you can't even see inside your own device.
They don’t need to.
Under specific conditions, the client can communicate with malware already on device, save data locally for other software to pick up, or downright stream the decrypted software to a third party.
Most likely is to introduce a flaw in the client that can be used by other walware on the client.
Clearly no red team members on HN these days.
1 reply →