Coinbase recently disclosed a security incident involving an external contractor who gained unauthorized access to the personal information of about thirty customers in December. After detecting the breach, the company terminated the contractor’s services and notified the affected individuals while providing them with protective resources.
A spokesperson for the cryptocurrency exchange confirmed that their security team identified the improper access late last year. According to the company, the breach was limited in scope, impacting a very small fraction of their total user base. Coinbase stated that they followed standard protocol by notifying relevant regulatory bodies and offering identity theft protection services to those whose data was compromised.
The confirmation of the breach follows a series of events where a group of threat actors known as Scattered Lapsus Hunters posted screenshots on Telegram. These images appeared to show an internal support interface containing sensitive customer details. While the posts were quickly deleted, they suggested that the attackers had a view into various types of private data, including names and financial records.
The leaked screenshots displayed a support panel that provided access to comprehensive user information such as email addresses, dates of birth, and phone numbers. Additionally, the interface revealed Know Your Customer details, cryptocurrency wallet balances, and historical transaction data. This level of access underscores the potential risk posed by insider threats or compromised administrative accounts within large financial platforms.
It remains unclear if the specific group that posted the screenshots was responsible for the initial breach or if they obtained the images from another source. In the cybersecurity world, stolen data and internal screenshots are frequently traded among different criminal entities. Notably, the same group has previously claimed to use bribery to gain access to internal systems at other high-profile technology firms.
Source: Coinbase Confirms Insider Breach Linked To Leaked Support Tool Screenshots



Strong write-up on the contractor angle. The fact that threat actors were posting support panel screenshots right after the breach sugests this type of insider access might be more coordinated than random. I've dealt with similiar situations where the first breach point was human, not technical, and the fallout always takes longer to contain than external attacks.