Coinbase Data Breach Hits 30 Customers

Coinbase confirmed that a single contractor improperly accessed customer information inside its support tooling, affecting about 30 customers, after screenshots of an internal support interface briefly appeared on Telegram and were then removed.

What Happened in the Breach

Coinbase told BleepingComputer that its security team found improper access from one contractor last year and that the access affected a very small number of users, approximately 30.

Coinbase said the contractor no longer performs services for the company, impacted users were notified last year, identity theft protection services were offered, and regulators received disclosure.

The public attention spike followed a brief Telegram post from a threat actor label called “Scattered Lapsus Hunters,” which displayed screenshots that appeared to show a Coinbase support panel with access to customer data fields.

Timeline: From First Access To Latest Update

1. December 2025: BleepingComputer reported the incident occurred in December, and Coinbase said it detected the improper access last year
2. 2025: Coinbase said it notified impacted users last year, removed the contractor, offered identity theft protection, and disclosed to regulators
3. February 3, 2026: BleepingComputer reported Coinbase’s confirmation and described the Telegram screenshots and the data fields visible in the support interface
4. February 4, 2026: TechRadar summarized Coinbase’s statement, reported the contractor termination, and linked the Telegram screenshots to the “Scattered Lapsus Hunters” label
5. February 4, 2026: Risky Bulletin reported the incident as a new Coinbase insider breach and cited Coinbase’s statement that the contractor was fired and the incident occurred in December
6. February 5, 2026: SC Media reported the incident involved a single contractor and repeated the approximate 30 customer impact figure
7. February 10, 2026: The Security Now transcript repeated Coinbase’s statement about the contractor access and regulator disclosure, reflecting the latest widely circulated recap rather than a new Coinbase update

What Data Or Systems Were Affected

The screenshots described in reporting showed a Coinbase internal support interface that displayed customer information fields, including email address, name, date of birth, phone number, KYC information, wallet balances, and transaction history.

Coinbase has not published a field-level breach notice for this incident, so the precise data elements accessed for each impacted customer remain unpublished outside media descriptions of the screenshots.

Coinbase did not report wallet compromise or private key exposure for this incident in the statement quoted by BleepingComputer, and TechRadar reported no claim of password exposure in the coverage tied to Coinbase’s comment.

Who Was Responsible (Confirmed Vs Alleged)

Coinbase confirmed improper access from one contractor and did not name an outside threat actor in its statement.

The “Scattered Lapsus Hunters” label posted screenshots on Telegram and then removed them, and BleepingComputer said it was unclear whether that group carried out the contractor access incident or obtained the screenshots after the fact.

TechRadar reported that the contractor may have been bribed, drawing an analogy to prior insider cases, and the outlet also noted uncertainty about whether the Telegram posters were directly tied to the contractor.

How The Attack Worked

Coinbase’s public detail indicates misuse of authorized access inside support tooling, since the contractor allegedly used their role to view customer data without a business need.

Reporting tied the public surfacing of the incident to screenshots of an internal support panel that appeared on Telegram, suggesting the incident included at least screen-level capture of sensitive data views.

Coinbase has not published a technical incident report that describes controls that failed, alerts that fired, or the mechanism of possible data extraction, and BleepingComputer said the incident occurred in December without stating an exact day or dwell time.

Impact and Risks for Customers

Support-tool data exposure raises risk for targeted social engineering because attackers can use correct personal details, KYC context, and balance information to make impersonation messages feel credible.

Coinbase said it offered identity theft protection and guidance to impacted users, which suggests Coinbase treated the incident as a personal-data exposure risk even at a small scale.

The incident also lands in a period when Coinbase has warned about support impersonation threats tied to stolen customer data from insider misuse, a theme the company emphasized in its May 15, 2025 disclosure about extortion-linked insider access.

Company Response And Customer Remediation

Coinbase said the contractor no longer performs services for the company, affected users received notification last year, and identity theft protection services were provided along with other guidance.

Coinbase said it disclosed the incident to relevant regulators as part of its standard practice.

Coinbase has not published public customer instructions for the broader user base tied to this 30-customer incident, so most practical guidance for non-impacted users comes from Coinbase’s standing advice about impersonation scams and support contact patterns.

Government, Law Enforcement, And Regulator Actions

Coinbase said it disclosed the incident to regulators, and it did not name specific agencies or publish an enforcement status update.

Public reporting has not described arrests, search warrants, or regulator findings tied to the 30-customer contractor access incident as of the February 2026 coverage cited here.

Regulatory and law enforcement attention has been more visible in Coinbase’s larger 2025 insider-extortion case, where Reuters reported DOJ interest after the company disclosed a cyber incident and cost exposure estimates.

Financial, Legal, And Business Impact

Coinbase has not published a cost range tied to the 30-customer contractor incident, and none of the cited reports list a financial impact estimate for this event.

Coinbase’s larger insider-driven incident disclosed in May 2025 carried a projected cost range of $180 million to $400 million, and Reuters linked that case to bribed support personnel and extortion pressure, offering a reference point for how expensive insider access can become at scale.

Public reporting reviewed here did not show litigation tied specifically to the 30-customer contractor incident, while the 2025 incident produced broader scrutiny and reporting about outsourced support access controls.

What Remains Unclear About the Breach

The exact date in December 2025, the length of unauthorized access, and the volume of customer records viewed or extracted have not been published in Coinbase’s statement or in the cited reporting.

Whether the Telegram screenshots came directly from the contractor, from a separate threat actor who later obtained them, or from a secondary leak chain remains unresolved, and BleepingComputer said attribution to the Telegram posters was uncertain.

The path from internal support views to external distribution remains unclear, including whether data left Coinbase systems as files, screenshots, or copied text, since Coinbase has not released a technical narrative.

Why This Incident Matters

A small victim count still demonstrates real insider risk because one support-tool seat can expose identity and account context that supports later fraud attempts against victims who trust brand support channels.

The incident also reinforces a broader pattern that Coinbase highlighted in 2025, where criminals target customer support operations and attempt to turn access to support tooling into downstream theft through impersonation.

The Telegram screenshot episode shows how quickly sensitive internal UI views can become public artifacts, even when posts disappear fast, and it adds pressure on access governance and monitoring inside support platforms.

Bright Defense: Pen Tests and Continuous Compliance That Reduce Support-Tool Exposure

Bright Defense reduces insider driven support tool risk through penetration tests that assess help desk workflows, contractor access boundaries, and data extraction paths within support consoles, with focus on least privilege roles, sensitive field masking, and audit logging.

Continuous compliance keeps access reviews, logging, incident response evidence, and vendor checks current for SOC 2 expectations, supporting role recertification, session logging for sensitive panels, and fast offboarding when misuse is detected.

Sources

1. BleepingComputer — Coinbase confirms insider breach linked to leaked support tool screenshots (February 3, 2026)
   https://www.bleepingcomputer.com/news/security/coinbase-confirms-insider-breach-linked-to-leaked-support-tool-screenshots/
2. TechRadar — Coinbase reveals insider breach did take place, customer info compromised (February 4, 2026)
   https://www.techradar.com/pro/security/coinbase-reveals-insider-breach-did-take-place-customer-info-compromised
3. SC Media — Coinbase confirms insider breach affecting 30 customers (February 5, 2026)
   https://www.scworld.com/brief/coinbase-confirms-insider-breach-affecting-30-customers
4. Risky Bulletin — Denmark recruits hackers for offensive cyber operations (February 4, 2026)
   https://news.risky.biz/risky-bulletin-denmark-recruits-hackers-for-offensive-cyber-operations/
5. TWiT — Security Now 1064 transcript (February 10, 2026)
   https://twit.tv/posts/transcripts/security-now-1064-transcript
6. Coinbase — Protecting Our Customers: Standing Up to Extortionists (May 15, 2025)
   https://www.coinbase.com/blog/protecting-our-customers-standing-up-to-extortionists
7. Reuters — Coinbase warns of up to $400 million hit from cyberattack (May 15, 2025)
   https://www.reuters.com/business/coinbase-says-cyber-criminals-stole-account-data-some-customers-2025-05-15/
8. Associated Press — Coinbase said cyber crooks stole customer information and demanded $20 million ransom payment (May 15, 2025)
   https://apnews.com/article/e3ef5297dfea296eb7b7320d8c58647e
9. Reuters — Coinbase breach linked to customer data leak in India, sources say (June 2, 2025)
   https://www.reuters.com/sustainability/boards-policy-regulation/coinbase-breach-linked-customer-data-leak-india-sources-say-2025-06-02/
10. Reuters — US DOJ opens investigation into Coinbase’s recent cyberattack, Bloomberg News reports (May 19, 2025)
    https://www.reuters.com/sustainability/boards-policy-regulation/us-doj-opens-investigation-into-coinbases-recent-cryberattack-bloomberg-news-2025-05-19/