←back to thread

Coinbase says hackers bribed staff to steal customer data, demanding $20M ransom

(www.cnbc.com)
410 points gpi | 2 comments | 15 May 25 15:52 UTC | HN request time: 0s | source
Show context
modeless ◴[15 May 25 19:12 UTC] No.43998293[source]
I have been receiving regular spear phishing calls from these guys, or someone who bought the leaked data, with classic tactics like claiming that I need to confirm a potentially fraudulent transaction. They speak perfect English with an American accent, sound very friendly, and have knowledge of your account balance. Thankfully on the first call I realized it was a scam right away, and Google's call screening feature takes good care of the rest. Wish I could forward them to Kitboga[1].

I guess they didn't have as much luck as they wanted scamming Coinbase's customers, and once they had their fun they decided to try extorting Coinbase themselves.

[1] https://www.youtube.com/watch?v=HNziOoXDBeg

replies(10): >>43998497 #>>43998546 #>>43998550 #>>43998551 #>>43998639 #>>43999013 #>>43999303 #>>43999425 #>>43999455 #>>44000073 #
panarky ◴[15 May 25 19:42 UTC] No.43998551[source]
If you had any significant assets on Coinbase at any time prior to this breach, spear phishing is the least of your worries.

Coinbase not only leaked your full name and address, they also gave up your balances, your transaction history, and images of your government identification.

People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom.

"Significant" in this case can be $10k or less.

Until now, your best defense secrecy. Never talk about crypto in public in any way that could be traced to your real-world identity.

Thanks to Coinbase that defense is now gone.

The bad guys can see who has ever had a significant balance on Coinbase (even if they don't right now), whether that balance was sold for cash and how much, or if you've ever transferred tokens off the exchange to a self-custody wallet.

Now the bad guys know who's worth kidnapping for ransom and where you live. For most people, a Google search of your name and home address turns up the names of family members who would would also be lucrative targets for kidnapping and threats of violence.

Coinbase will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company.

replies(12): >>43998696 #>>43998820 #>>43999011 #>>43999267 #>>43999315 #>>43999840 #>>44000135 #>>44000613 #>>44001088 #>>44001777 #>>44002734 #>>44004453 #
andy_ppp ◴[16 May 25 00:14 UTC] No.44000613[source]
Companies should seriously consider implementing GDPR even in the US, it certainly made taking data dumps of customer data a lot harder and certainly private images like Government IDs were encrypted on disk. I’m surprised at the lack of security if I’m honest, at Yahoo! almost nobody had access to prod user data.

Essentially you cannot trust Coinbase IMO, might move the few hundred dollars of BTC out of there :-)

replies(4): >>44001405 #>>44002445 #>>44004187 #>>44010495 #
1. csomar ◴[16 May 25 11:43 UTC] No.44004187[source]
How would GDPR help in this case where the employees were bribed?
replies(1): >>44009440 #
2. baobun ◴[16 May 25 20:17 UTC] No.44009440[source]
Internal segregation. If inplemented properly perhaps these specic employees wouldnt have access to all that data in the first place.