The largest U.S. cryptocurrency exchange, Coinbase, has confirmed a new user data breach originating from an external contractor. According to the company, attackers accessed information relating to approximately 30 customers. The incident dates back to December 2025 and is not linked to the earlier large‑scale compromise involving the outsourcing provider TaskUs.
Coinbase data breach through external contractor: key facts
Coinbase reported that its security team detected unauthorized access to customer information by one of its contractors. The company describes the number of affected users as “very small”, estimating around 30 accounts. The contractor responsible for the incident has since had its relationship with Coinbase terminated.
All impacted customers have been notified and offered identity theft protection services. Coinbase states that relevant regulators have been informed in line with financial and crypto sector incident‑reporting requirements. While the exchange has not published a granular field‑by‑field breakdown of compromised data, it emphasizes that this was a localized incident, not a platform‑wide breach.
What customer data may have been exposed
Although Coinbase has not disclosed a full list of affected data elements, similar breaches involving crypto platforms and their vendors typically expose personally identifiable information (PII) such as full name, date of birth, postal address, phone number and email address. In some cases, portions of KYC (Know Your Customer) documentation are also at risk, including ID documents submitted during verification.
Such data is highly valuable for cybercriminals. It can be used to craft targeted phishing campaigns, perform SIM‑swapping attacks, attempt account takeovers on other services, or commit identity fraud such as opening credit lines or exploiting financial services in the victim’s name.
Context: earlier large‑scale Coinbase breach via TaskUs
The new incident follows a far more extensive data leak in early 2025, when attackers bribed two employees of Indian outsourcing company TaskUs, which was providing customer support services to Coinbase. That breach affected nearly 70,000 Coinbase users.
In that earlier case, the attackers reportedly obtained dates of birth, the last four digits of Social Security numbers, postal addresses, phone numbers and email addresses. For some users, even scans of driver’s licenses and passports used for KYC/AML checks were compromised. The threat actors later demanded a US$20 million ransom from Coinbase, which the company refused to pay. This sequence—stealing highly sensitive identity data, followed by extortion or sale of the dataset on criminal markets—is now a common pattern in cryptocurrency‑related attacks.
Scattered Lapsus$ Hunters and exposure of internal support tools
Coinbase’s confirmation of the new contractor‑linked incident came shortly after the Telegram group Scattered Lapsus$ Hunters posted—and then deleted—screenshots allegedly showing an internal Coinbase support interface. The screenshots appeared to display access to customer data, including email addresses, names, dates of birth, phone numbers, KYC information, wallet balances and transaction histories.
At this stage there is no public evidence directly tying Scattered Lapsus$ Hunters to the December contractor breach. It is possible the images originated from other attackers. However, the group has previously been mentioned in investigations involving the bribery of employees at large technology and security vendors, underscoring how insider access and compromised support tools can be weaponized against financial and crypto platforms.
Third‑party and supply chain risk for cryptocurrency exchanges
Why contractors remain a systemic weak point
The Coinbase incidents highlight a classic supply chain risk problem. Even if a major crypto exchange invests heavily in internal cybersecurity, any weaker link—such as an outsourced support center, KYC verification provider or cloud partner—can become the primary attack entry point.
Industry reports, including studies by major security vendors and global incident response teams, consistently show that a substantial share of serious breaches in the financial sector involve third‑party failures. For cryptocurrency exchanges, the stakes are amplified: attackers are not only after digital assets, but also rich identity and transaction datasets that can fuel long‑term fraud schemes.
Security measures exchanges and vendors should prioritize
Organizations handling crypto assets and customer PII need a mature Third‑Party Risk Management (TPRM) program. Core elements typically include:
• Strict contractual security requirements: clear obligations for data protection, incident reporting and access control for all vendors processing customer data.
• Principle of least privilege: contractors should only have the minimal necessary access to systems and data, limited by role, geography and time.
• Continuous monitoring and auditing: logging, anomaly detection and periodic security assessments focused specifically on external accounts and integrations.
• Zero Trust architecture: even “trusted” partners are not granted broad, persistent access. Every access request is verified, logged and evaluated for risk.
How cryptocurrency users can reduce their own risk
While users cannot control an exchange’s vendor ecosystem, they can significantly reduce the impact of potential data leaks. Recommended measures include:
• Strong authentication: enable multi‑factor authentication (preferably with hardware security keys) for all exchange accounts.
• Segmented identities: use a dedicated email address for crypto platforms and avoid reusing passwords across services.
• Vigilance against phishing: closely inspect emails and messages that reference Coinbase or other exchanges, especially those requesting credentials, codes or document uploads.
• Credit and identity monitoring: periodically review credit reports and consider credit freezes or fraud alerts in jurisdictions where these services are available.
The Coinbase contractor breach reinforces a critical lesson for the crypto ecosystem: even highly regulated, well‑funded exchanges remain exposed to third‑party and supply chain attacks. Users should assume that any KYC information they submit may eventually be targeted and proactively build a robust personal cybersecurity strategy—from disciplined account management to continuous monitoring for signs of identity misuse.
