One of the world’s largest crypto exchanges is again under the spotlight after hackers leaked internal data linked to a Coinbase insider breach.
Quick Summary – TLDR:
- Coinbase confirmed a new insider data breach involving a contractor who accessed customer data in December.
- Hacker group ShinyHunters leaked screenshots of Coinbase internal tools on Telegram.
- The company faces $307 million in breach-related costs and a shareholder lawsuit.
- Increased BPO-targeted attacks raise serious concerns about third-party vendor security.
What Happened?
Coinbase has officially confirmed that in December, a contractor working for the company improperly accessed customer data, affecting around 30 users. This revelation follows the appearance of Coinbase support tool screenshots shared briefly on Telegram by the hacker group known as ShinyHunters.
This new incident is unrelated to the TaskUs breach from early 2025, but it shines a light on the growing threats posed by insiders and third-party contractors in the crypto industry.
🚨 Coinbase confirms an insider breach after a contractor improperly accessed data for 30 customers.
— BleepingComputer (@BleepinComputer) February 4, 2026
BleepingComputer learned the breach occurred in December.
This comes after screenshots of internal Coinbase support tools were leaked.
👉Learn more:https://t.co/RSbIFkGLIb
Coinbase Confirms Insider Breach
Coinbase told BleepingComputer that it identified the breach last year when it detected improper access by a single contractor. The employee no longer works with the company. Coinbase says affected users were informed and offered identity theft protection and guidance. Regulators were also notified.
While this breach affected a small number of users, the nature of the leaked information is serious. Screenshots shared on Telegram revealed access to user names, email addresses, birthdates, phone numbers, KYC details, wallet balances, and transaction data.
The breach aligns with a broader trend of threat actors targeting Business Process Outsourcing (BPO) companies, whose employees often have access to sensitive internal systems. These attacks are not limited to Coinbase.
ShinyHunters Flash Coinbase Data on Telegram
The ShinyHunters group briefly posted screenshots from Coinbase’s internal tools on Telegram. While some claimed the data was from as far back as nine years ago, cybersecurity expert Dominic Alvieri confirmed the data appeared to be from 2025.
These posts are believed to be “flash posts” or short-lived leaks meant to show off access without exposing too much. Researchers say there is no indication the full breach data has been released on the dark web.
Coinbase had previously confirmed a $20 million ransom demand from hackers related to an earlier breach, which the company refused to pay. Instead, Coinbase offered a $20 million reward for information leading to the attackers’ arrest. So far, a former employee has been arrested, and CEO Brian Armstrong hinted that more arrests are coming.
Outsourced Workers Under Attack
Threat actors have increasingly targeted outsourced support firms. BPO employees are often the weak link in the security chain, with access to internal tools but less direct oversight. Attack methods include:
- Bribery of support agents to leak internal data.
- Social engineering via impersonation calls.
- Compromised credentials of outsourced staff.
Recent breaches involving Discord, Marks & Spencer, Co-op, and Clorox all stemmed from similar attack vectors tied to BPO vendors. In one major incident, hackers posed as an employee and tricked a Cognizant agent into granting access to Clorox systems, leading to a $380 million lawsuit.
Coinbase itself was previously breached via its support partner TaskUs, showing how persistent these threats are.
Coinbase Faces Lawsuit and High Costs
As a result of the breach fallout, Coinbase is facing a shareholder class action lawsuit for allegedly failing to disclose the incident in a timely way. The company has reported $307 million in costs tied to the breach.
To combat further risks, Coinbase has introduced stricter safeguards, including:
- Extra ID checks for flagged accounts.
- Scam-awareness prompts before withdrawals.
- Reimbursement for users tricked into sending crypto to attackers.
Despite these measures, the damage to customer trust and financial impact remains significant.
SQ Magazine Takeaway
Honestly, this breach underscores the real danger of outsourcing sensitive operations without tight oversight. I get why companies use BPOs, but the growing number of insider threats shows it is not enough to rely on contracts and NDAs. You need real-time monitoring, stricter access controls, and way more investment in vetting and training third-party staff.
And when hackers like ShinyHunters are flexing leaked data on Telegram, it’s a clear sign that the crypto world is still playing catch-up on security. If you’re a Coinbase user, now’s a good time to double-check your security settings.
