Coinbase Global Inc., a major U.S. cryptocurrency exchange with more than 100 million customers, disclosed today that cybercriminals bribed offshore customer service support agents to steal customer data.

In a blog post, the company said no passwords, private keys or funds were exposed, but personal customer information was stolen. The company said the criminals accessed fewer than 1% of the company’s total transacting monthly customer base.

Attackers gained access to customer names, addresses, phone numbers and email addresses. As well as masked Social Security numbers (last four digits only), masked bank account numbers, government-ID images and limited corporate data. Coinbase stressed that the attackers did not access any login credentials or private keys or gained the ability to move or access customer funds.

Coinbase said the offending employees were fired immediately upon discovery. However, the company did not reveal any further details about when the leak occurred, in which region it happened or how many employees were involved.

The attackers could potentially use the stolen information for social engineering, also known as phishing, a fraudulent practice of sending emails or other messages pretending to be from a reputable company to get someone to reveal sensitive information.

For example, knowing a person’s phone number or email, a bad actor could call someone and get them to reveal their Coinbase account password or send them an email with a link that could send them to a fake Coinbase page.

“Expect imposters. Scammers — related to this incident or not — may pose as Coinbase employees and try to pressure you into moving your funds,” the company said. “If you receive this call, hang up the phone. Coinbase will never ask you to contact an unknown number to reach us.”

The attackers contacted the company, claiming to have compromised customer information and demanded a $20 million payoff. Coinbase Chief Executive Brian Armstrong said the firm refused the demand.

Rather than paying the $20 million ransom, Armstrong said Coinbase will turn it into a $20 million bounty for information leading to the arrest and conviction of the criminals behind the attack.

He added that any customers impacted by social engineering attempts will be reimbursed. In a filing with the United States Securities and Exchange Commission, Coinbase estimated that the process would cost the company between $180 million and $400 million in expenses.

“Given that the cybercriminals targeted customer support agents, this breach should be a major wakeup call for robust insider threat detection,” Nick Tausek, lead security automation architect at security automation firm Swimlane LLC, told SiliconANGLE in an email. “As outsourcing scales and operations stretch across time zones, insider threat detection and access governance can’t be afterthoughts. A single insider with the right access, or in this case, the wrong incentives, can punch a hole in even the most fortified security posture — because, as this breach shows, it only takes 1% of customers breached to make 100% of the headlines.”

Image: Pixabay