Coinbase, the largest cryptocurrency exchange in the US, was notified on Sunday of a data breach by extortionists.
Login credentials, two-factor authentication codes and private keys were not exposed in the breach, nor were the bad actors able to gain individual account access to investors’ funds. But cybercriminals are in possession of the following:
- Names
- Addresses
- Phone numbers
- Emails
- Partial Social Security numbers
- Masked bank-account numbers
- Government ID images like driver’s licenses and passports
- Account data, including snapshots and transaction history
In an SEC filing, Coinbase said that the threat actors paid overseas contractors in support roles for internal sensitive information. That info was then used to create a social engineering attack, demanding that Coinbase pay $20 million or the information would be released. Coinbase refused to pay.
«Instead of funding criminal activity, we have investigated the incident, reinforced our controls, and will reimburse customers impacted by this incident,» the company said in its statement. The company is cooperating with law enforcement and has set up a $20 million reward fund for information leading to the hackers’ arrest.
Some Reddit users have reported receiving unsolicited password reset messages as early as last week. It’s unclear if the messages are tied to the data breach, but if you receive an unprompted password reset message, it should always send up a red flag. CNET reached out to Coinbase for comment, but the company did not immediately respond.
Do this now to secure your crypto and data
While Coinbase has said that your seed phrase and investment account are safe, this breach exposed a lot of other sensitive information. Take these steps now to ensure your personal information is secure.
Use a cold crypto wallet
If you invest in crypto regularly, a cold crypto wallet — which is not connected to the internet and has to be manually plugged into your computer to access — can keep your digital currency secure in the event an exchange is breached.
Freeze your credit reports
You should freeze your credit reports and even consider locking your SSN, to prevent bad actors from making use of any of the information that was exposed. But beware of phishing attacks that aim to trick you into giving up sensitive data willingly.
Danni Santana, CNET’s identity theft editor, tested freezing his credit last year and said, «It’s worth the hassle of setting up accounts with all three major credit bureaus. I get peace of mind at zero cost to me.»
Alert your bank
If even partial bank account information was exposed, contact your bank and let them know. You can request a new checking or savings account. Even if the entire account number wasn’t revealed, it’s still best to err on the side of caution.
Sign up for a free identity theft and credit monitoring service
There are free services you can sign up for that will monitor your credit reports and the dark web for any of your personal identifying information. While these services won’t take action on your behalf, they can alert you so that you’re able to take action.
There are also paid identity theft protection services available that offer much better protection features. Some of these, like Aura, include identity theft restoration services in the event your identity is stolen and up to $1 million in identity theft insurance.
