Coinbase has confirmed that a contractor improperly accessed customer data in a newly revealed insider breach that affected around thirty users.
The incident took place in December and was detected by Coinbase’s internal security team, according to a statement shared with BleepingComputer.
A Coinbase spokesperson said that the contractor accessed customer information without authorization and no longer works with the company. Coinbase notified the affected users last year and offered identity theft protection services along with additional guidance. The company also said it reported the incident to relevant regulators, which it described as a standard procedure following such events.
BleepingComputer has learned that this breach is separate from the previously disclosed TaskUs-related insider breach from January 2025. Coinbase clarified that the two incidents are not connected, confirming this is a new case involving a different individual.
The confirmation comes shortly after a threat group known as Shiny Lapsus Hunters briefly shared screenshots on Telegram showing what appeared to be an internal Coinbase support interface. The images were later deleted, but they appeared to show access to sensitive customer data, including names, email addresses, phone numbers, dates of birth, identity verification details, wallet balances, and transaction history.
It remains unclear whether Shiny Lapsus Hunters were responsible for this insider breach or whether the screenshots were obtained from another source. Security researchers note that stolen data and internal images are often shared between different cybercrime groups before becoming public. The same threat actors have previously claimed they bribed an insider at CrowdStrike to obtain internal screenshots, raising further concerns about insider threats.
The incident highlights a growing problem across the tech and financial sectors, where Business Process Outsourcing companies have become frequent targets for attackers. BPO firms handle tasks such as customer support, identity verification, and IT help desk services, often giving employees access to sensitive systems and user data. This access makes them attractive targets for cybercriminals.
In recent years, attackers have increasingly relied on bribing insiders, social engineering support staff, or compromising employee accounts to gain entry into corporate systems. Coinbase itself experienced a similar issue last year when a data breach was linked to customer support agents employed by TaskUs, an external outsourcing provider.
Other major companies have faced similar attacks. In one high-profile case, attackers impersonated an employee and convinced a support agent at Cognizant to grant access to internal systems at Clorox, leading to a major breach and a lawsuit worth hundreds of millions of dollars. Google has also warned about threat actors targeting U.S. insurance firms through outsourced help desks.
Retail companies have reported comparable incidents as well. Marks & Spencer and Co-op both confirmed breaches that involved social engineering of support staff, prompting the U.K. government to issue guidance on protecting help desks and BPO operations from such attacks.
In some cases, attackers do not rely on persuasion alone but directly compromise BPO employee accounts. In October, Discord disclosed a breach that exposed data from millions of users after its support system was accessed using a compromised account linked to an outsourced support provider.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
These repeated incidents show a clear shift in cybercrime tactics. Instead of exploiting software vulnerabilities, attackers are increasingly targeting people and third-party providers with trusted access. The Coinbase breach adds to growing evidence that insider threats and outsourced support services remain one of the weakest links in modern cybersecurity.
