Coinbase Faces Scrutiny After Reports of Long-Hidden Customer Data Leak

According to a Reuters investigation and sources close to Coinbase, an employee of an India-based contractor had access to confidential user data, including full names, email addresses, and potentially phone numbers. The incident reportedly occurred in 2021, though the company became aware of it only in January 2024.

Coinbase has not disclosed the scope of the breach, but according to sources, hundreds of customers in the U.S., Canada, the UK, and Japan were affected. Access to the data was obtained through a customer support system that Coinbase had partially outsourced to India. Company representatives stated that the “unauthorized access” had been terminated and that they are cooperating with Indian authorities in the investigation.

Importantly, Coinbase issued no public statement about the incident on its blog or in the platform’s incident report section. Only some users reported receiving notifications about a potential leak. This suggests the company opted for localized communication instead of a public acknowledgment, which may undermine confidence in its transparency practices.

Related: Hackers Claim to Sell User Databases from Binance and Gemini

Not the First Breach: Context Behind the Leak

The latest incident involving Coinbase is part of a broader pattern of data leaks and breaches tied not only to technical vulnerabilities but also to human error, particularly in the context of outsourcing and remote work. 

In recent years, several major centralized platforms have faced data breaches due to contractors, internal violations, or compromised support systems.

• In 2022, Robinhood experienced a data leak in which unknown attackers gained access to information on more than 7 million users through a customer support employee. 
• In 2023, the analytics platform Nansen suffered a data breach caused by a compromise of a third-party provider managing its analytics system.

Related: On-Chain Analysis with Nansen

The overall trend is clear: centralized exchanges heavily rely on international teams and outsourced support to handle user requests, but do not always ensure proper isolation of critical data. The issue is particularly evident in countries with weaker data protection standards, making such incidents a systemic risk rather than a one-off failure.

The context suggests that the Coinbase case is not an exception, but a symptom of a deeper issue within the industry.

Related: U.S. Seeks 2-Year Sentence for Hacker Behind SEC X Account Breach

User-Side Security: How to Protect Yourself When Exchanges Fall Short

Incidents like the Coinbase data leak raise an important question: Who is responsible for security in the crypto world? As practice shows, even the largest exchanges with millions of users and multibillion-dollar valuations can make critical mistakes. As a result, the primary responsibility for protecting assets shifts to the users themselves.

• The first rule is to minimize the amount of data shared with centralized platforms. Provide only required information, avoid uploading documents unless necessary, and do not use the same email address across multiple exchanges. 
• The second rule is to use two-factor authentication (2FA) and update passwords regularly. These measures help reduce risks even if the data ends up in the hands of malicious actors.

The key step is to keep only the funds needed for transactions and DeFi activity on exchanges. Long-term storage is better suited for cold wallets (hardware wallets) or trusted, non-custodial apps, which eliminate counterparty risk.

Personal control is the only way to preserve privacy, maintain access to funds, and ensure digital security.