←back to thread

Coinbase says hackers bribed staff to steal customer data, demanding $20M ransom

(www.cnbc.com)
410 points gpi | 7 comments | 15 May 25 15:52 UTC | HN request time: 0.705s | source | bottom
Show context
modeless ◴[15 May 25 19:12 UTC] No.43998293[source]
I have been receiving regular spear phishing calls from these guys, or someone who bought the leaked data, with classic tactics like claiming that I need to confirm a potentially fraudulent transaction. They speak perfect English with an American accent, sound very friendly, and have knowledge of your account balance. Thankfully on the first call I realized it was a scam right away, and Google's call screening feature takes good care of the rest. Wish I could forward them to Kitboga[1].

I guess they didn't have as much luck as they wanted scamming Coinbase's customers, and once they had their fun they decided to try extorting Coinbase themselves.

[1] https://www.youtube.com/watch?v=HNziOoXDBeg

replies(10): >>43998497 #>>43998546 #>>43998550 #>>43998551 #>>43998639 #>>43999013 #>>43999303 #>>43999425 #>>43999455 #>>44000073 #
panarky ◴[15 May 25 19:42 UTC] No.43998551[source]
If you had any significant assets on Coinbase at any time prior to this breach, spear phishing is the least of your worries.

Coinbase not only leaked your full name and address, they also gave up your balances, your transaction history, and images of your government identification.

People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom.

"Significant" in this case can be $10k or less.

Until now, your best defense secrecy. Never talk about crypto in public in any way that could be traced to your real-world identity.

Thanks to Coinbase that defense is now gone.

The bad guys can see who has ever had a significant balance on Coinbase (even if they don't right now), whether that balance was sold for cash and how much, or if you've ever transferred tokens off the exchange to a self-custody wallet.

Now the bad guys know who's worth kidnapping for ransom and where you live. For most people, a Google search of your name and home address turns up the names of family members who would would also be lucrative targets for kidnapping and threats of violence.

Coinbase will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company.

replies(12): >>43998696 #>>43998820 #>>43999011 #>>43999267 #>>43999315 #>>43999840 #>>44000135 #>>44000613 #>>44001088 #>>44001777 #>>44002734 #>>44004453 #
1. andy_ppp ◴[16 May 25 00:14 UTC] No.44000613[source]
Companies should seriously consider implementing GDPR even in the US, it certainly made taking data dumps of customer data a lot harder and certainly private images like Government IDs were encrypted on disk. I’m surprised at the lack of security if I’m honest, at Yahoo! almost nobody had access to prod user data.

Essentially you cannot trust Coinbase IMO, might move the few hundred dollars of BTC out of there :-)

replies(4): >>44001405 #>>44002445 #>>44004187 #>>44010495 #
2. ethbr1 ◴[16 May 25 02:49 UTC] No.44001405[source]
> I'm surprised at the lack of security if I’m honest

This is the crypto industry, who make the discrepancy between Theranos' claims and practice look conservative.

3. hulitu ◴[16 May 25 06:46 UTC] No.44002445[source]
> Companies should seriously consider implementing GDPR even in the US

... and save the data in US cloud where everybody can access it.

It is really funny how FAANG can get away with data colkection in spite of GDPR.

replies(1): >>44003168 #
4. disgruntledphd2 ◴[16 May 25 08:52 UTC] No.44003168[source]
Yeah this is really frustrating, especially the way the EU commission keep coming up with workarounds that the court will almost certainly strike down.
5. csomar ◴[16 May 25 11:43 UTC] No.44004187[source]
How would GDPR help in this case where the employees were bribed?
replies(1): >>44009440 #
6. baobun ◴[16 May 25 20:17 UTC] No.44009440[source]
Internal segregation. If inplemented properly perhaps these specic employees wouldnt have access to all that data in the first place.
7. Aloisius ◴[16 May 25 22:49 UTC] No.44010495[source]
> How does Coinbase protect data in transit and data at rest?

> Coinbase employs a range of technical and organizational measures to defeat efforts to intercept, surveil, or otherwise access without authorization data in transit. For instance, Coinbase encrypts all confidential data transfers to prevent interception or tampering of that data by unauthorized third parties.

Coinbase does business in the EU and thus, already has to comply with the GDPR. Moreover, the US also requires safeguards for sensitive customer information by financial services companies.