A Coinbase data breach filing with the Maine Attorney General finally gives us some more detail than Coinbase’s vague “less than 1% of monthly transacting users”. 69,461 people were affected, and Coinbase says the data breach occurred on December 26, 2024.

Data Breach Notifications Entity Information Type of Organization: Financial Services Entity Name: Coinbase, Inc. Street Address: 248 3rd Street #434 City: Oakland State, or Country if outside the US: CA Zip Code: 94607 Submitted By Name: Michael Rubin Title: Attorney Firm name (if different than entity): Latham and Watkins LLP Telephone Number: (415) 395-8154 Email Address: michael.rubin@lw.com Relationship to entity whose information was compromised: Outside Counsel Breach Information Total number of persons affected (including residents): 69461 Total number of Maine residents affected: Approximately 217 If the number of Maine residents exceeds 1,000, have the consumer reporting agencies been notified: Date(s) Breach Occured: December 26, 2024 Date Breach Discovered: May 11, 2025 Description of the Breach: Insider wrongdoing Information Acquired - Name or other personal identifier in combination with: Notification and Protection Services Type of Notification: Written Date(s) of consumer notification: May 30, 2025 Copy of notice to affected Maine residents: Appendix_A_-_Coinbase_Template_Individual_Notification_Letter.pdf Date of any previous (within 12 months) breach notifications: 07/16/2024 Were identity theft protection services offered: Yes If yes, please provide the duration, the provider of the service and a brief description of the service: We are offering all impacted individuals one year of free credit monitoring and identity protection services provided by IDX. The services include credit monitoring, a $1,000,000 insurance reimbursement policy and identity restoration, and dark web monitoring to identify if any information is made available through illegal online forums.

It took them almost five months between the incident and the incident disclosure, although the company has since admitted it knew customer support agents were suspiciously accessing customer data as far back as January.

Security researchers who have spent months trying to call Coinbase’s attention to serious issues at the company are disputing Coinbase’s claims about the timing of the breach. “Threat actors had ongoing access via multiple insiders over a prolonged period of time.”

Oh good apparently now the Coinbase breach happened on Dec 26, 2024. LOL So since Coinbase won't be straight with you, I will. Threat actors had ongoing access via multiple insiders over a prolonged period of time. (Screenshot of Maine AG notification)
As evidence, here's a very small cutout of one high value customer's Coinbase account. This wasn't pulled on Dec 26, 2024 honey. (Screenshot showing dates between 2025-02-07 and 2025-02-10)

The SEC requires material cybersecurity incidents be disclosed within four business days; state laws often have a 30-day disclosure deadline. It’s not clear if customers outside the US were affected; if so, other disclosure laws may apply.

« Back to the activity feed
« Back to the microblog feed
Have you responded to this post on your own site? Send a webmention! Note: Webmentions are moderated for anti-spam purposes, so they will not appear immediately.