Coinbase has confirmed an insider breach where a contractor improperly accessed data from approximately 30 customers in December 2025. The incident, revealed after leaked screenshots of internal support tools appeared on Telegram, is separate from the January 2025 TaskUs breach and highlights growing threats to Business Process Outsourcing (BPO) providers.
Coinbase has confirmed an insider breach after a contractor improperly accessed the data of approximately thirty customers, which BleepingComputer has learned is a new incident that occurred in December 2025. The revelation comes after threat actors known as "Scattered Lapsus Hunters" (SLH) briefly posted screenshots of an internal Coinbase support interface on Telegram before quickly deleting the posts.
The screenshots showed a support panel that gave access to customer information, including email addresses, names, date of birth, phone numbers, KYC information, cryptocurrency wallet balances, and transactions. While the group deleted the posts shortly after posting, the damage was done—the images had already circulated among threat actors.
A Separate Incident from Previous Breaches
Coinbase spokesperson told BleepingComputer that this is a newly revealed insider breach and is not related to the previously disclosed TaskUs insider breach in January 2025. The company stated: "Last year our security team detected that a single Coinbase contractor improperly accessed customer information, impacting a very small number of users (approximately 30)."
The affected contractor no longer performs services for Coinbase. Impacted users were notified last year and provided with identity theft protection services and other guidance. Coinbase has also disclosed this incident to relevant regulators as standard practice.
The Growing Threat to BPO Providers
This incident highlights a concerning trend in cybersecurity: the increasing targeting of Business Process Outsourcing (BPO) companies by threat actors seeking access to customer data, internal tools, or corporate networks.
A Business Process Outsourcing (BPO) company is a third-party firm that performs operational tasks for another organization. These tasks commonly include customer support, identity verification, IT help desk services, and account management. Because BPO employees often have access to sensitive internal systems and customer information, they have become high-value targets for attackers.
Over the past year, threat actors have exploited BPOs through multiple attack vectors:
- Bribing insiders with legitimate access
- Social engineering support staff to grant unauthorized access
- Compromising BPO employee accounts to reach internal systems
Historical Context of BPO Attacks
The Coinbase breach follows a pattern of similar incidents across various industries. In 2024, Coinbase disclosed a similar data breach linked to external customer support representatives employed by TaskUs, an outsourcing firm that provides services to the crypto exchange.
Social engineering attacks against outsourced IT and support desks have proven particularly effective. In one prominent case, attackers posed as an employee and convinced a Cognizant help desk support agent to grant them access to a Clorox employee account, allowing them to breach the company's network. This incident later became the focus of a $380 million lawsuit by Clorox against Cognizant.
Google has also reported that threat actors targeted U.S. insurance firms in social engineering attacks on outsourced help desks to gain access to internal systems. Retailers have confirmed similar patterns, with Marks & Spencer confirming attackers used social engineering to breach its networks, while Co-op disclosed data theft following a ransomware attack that similarly abused support staff access.
In response to these attacks, the U.K. government issued guidance on social engineering attacks against help desks and BPOs, recognizing the growing threat to retail and other sectors.
Account Compromise as an Attack Vector
In some cases, hackers target the BPO employee accounts themselves to gain access to the customer data they manage. In October 2024, Discord disclosed a data breach that allegedly exposed data from 5.5 million unique users after its Zendesk support system instance was compromised.
While Discord did not confirm how its instance was breached, threat actors told BleepingComputer that they used a compromised account belonging to a support agent employed by an outsourced business process outsourcing (BPO) provider. Using this account, they downloaded Discord's customer data.
The Evolution of Insider Threats
This repeated abuse of outsourced support providers shows how threat actors are increasingly bypassing traditional vulnerability exploits and instead targeting third-party companies with access to corporate networks and data. The Coinbase incident demonstrates that even companies with robust security measures remain vulnerable through their extended ecosystem of contractors and partners.
The Scattered Lapsus Hunters group, which posted the Coinbase screenshots, has a history of such activities. The same threat actors previously claimed to have bribed an insider at CrowdStrike to share screenshots of internal applications, suggesting they may have been involved in the Coinbase breach or have connections to those who were.
Industry Response and Best Practices
As insider threats and BPO targeting continue to evolve, companies are implementing various security measures:
- Enhanced vetting and monitoring of third-party contractors
- Multi-factor authentication for all support system access
- Regular security training for outsourced personnel
- Segmentation of sensitive customer data
- Real-time monitoring for unusual access patterns
- Incident response plans that include BPO partners
For customers, this incident serves as a reminder to monitor financial accounts regularly, enable all available security features on cryptocurrency and financial platforms, and be cautious about sharing personal information even with legitimate support channels.
Looking Forward
The Coinbase breach represents another data point in the growing trend of insider threats and BPO targeting. As companies increasingly rely on third-party providers for customer support and other functions, the attack surface expands beyond traditional network perimeters.
Security experts suggest that the industry needs to evolve beyond perimeter-based security models to address these insider and third-party threats. This includes implementing zero-trust architectures, continuous monitoring of privileged access, and treating insider threats with the same rigor as external attacks.
For Coinbase, the incident appears to have been contained quickly, with appropriate notifications made to affected users and regulators. However, the leak of internal support tool screenshots demonstrates how even contained breaches can have reputational impacts when sensitive information makes its way to public forums.
The cryptocurrency industry, which already faces unique security challenges due to the irreversible nature of blockchain transactions, must remain particularly vigilant about insider threats and the security practices of their business partners.
Related Articles:
- Former Coinbase support agent arrested for helping hackers
- When Hackers Wear Suits: Protecting Your Team from Insider Cyber Threats
- Iron Mountain: Data breach mostly limited to marketing materials
- NationStates confirms data breach, shuts down game site
- Panera Bread breach impacts 5.1 million accounts, not 14 million customers
Comments
Please log in or register to join the discussion