Coinbase Breach: Insider Leaked Support Tool Screenshots
â–¼ Summary
– Coinbase confirmed a new insider data breach in December where a contractor improperly accessed information for approximately 30 customers.
– Threat actors briefly leaked screenshots of an internal Coinbase support panel containing sensitive customer data, though their direct involvement in the breach is unclear.
– Business Process Outsourcing (BPO) companies are increasingly targeted by attackers due to their employees’ access to sensitive systems and customer information.
– Common attack methods against BPOs include bribing insiders, social engineering support staff, and compromising employee accounts to gain unauthorized access.
– This pattern shows threat actors are increasingly bypassing direct system exploits to target third-party service providers with network access.
Coinbase has confirmed a recent security incident involving a contractor who improperly accessed the personal data of roughly thirty customers. This newly disclosed breach, which occurred last year, is separate from a previous incident involving a different outsourcing partner. The exchange has notified affected users, provided identity protection services, and reported the matter to regulators. The confirmation follows the brief appearance of internal support tool screenshots on a Telegram channel operated by a threat actor group, highlighting ongoing risks associated with third-party access to sensitive systems.
The leaked screenshots displayed a customer support panel containing highly sensitive information, including email addresses, full names, dates of birth, phone numbers, KYC verification details, cryptocurrency wallet balances, and transaction histories. While the posts were quickly deleted, the incident underscores how insider threats and compromised third-party vendors pose significant dangers. It remains unclear if the group that posted the material was directly responsible for the initial breach or if they obtained the screenshots from another source. This same collective has previously claimed to have bribed an insider at the cybersecurity firm CrowdStrike.
This event is part of a broader trend where Business Process Outsourcing (BPO) companies have become prime targets for cybercriminals. These third-party firms handle critical operations like customer support and IT help desks, granting their employees legitimate access to corporate networks and sensitive data. Attackers exploit this access through several methods, with bribing insiders being a direct and effective tactic, as seen in the Coinbase case.
Another prevalent strategy involves social engineering attacks against outsourced IT and support desks. Here, threat actors impersonate legitimate employees to trick help desk agents into granting system access. In a high-profile example, attackers posing as an employee convinced a support agent at Cognizant to provide credentials for a Clorox account, leading to a network breach and subsequent multi-million dollar lawsuit. Similar campaigns have targeted U.S. insurance firms and major retailers, with companies like Marks & Spencer and Co-op confirming breaches that began with social engineering against support staff.
Sometimes, the attack vector shifts to the BPO employee accounts themselves. Hackers may compromise these credentials to directly harvest the customer data the agents manage. For instance, Discord disclosed a data breach affecting millions of users after its Zendesk support system was accessed via a compromised account belonging to an agent at an outsourced BPO provider.
This repeated pattern of targeting third-party service providers demonstrates a strategic shift by threat actors. Instead of focusing solely on exploiting technical software vulnerabilities, attackers are increasingly aiming at the human element and the privileged access granted to outsourcing partners. These incidents highlight the critical need for organizations to enforce stringent security protocols, conduct rigorous oversight, and maintain continuous monitoring of all third parties with access to internal systems and sensitive customer information.
(Source: Bleeping Computer)
