Coinbase customer data stolen after company's foreign reps bribed, allows hackers to then phish customers via personal data acquired
What a fucking mess.
I've said for years that the US should make it ILLEGAL for foreign reps to work customer service jobs for any kind of finanace or healthcare job, as they end up handling sensitive data with no possible oversight or consequence for misuse.
Now the chickens have come home to roost.
Coinbase employed cut-rate foreign customers service reps. Some of these reps were then bribed to give up a lot of Coinbase customer data to hackers, who then turned around to phish these customers in order to steal their funds.
Their statement, while likely at least partially factual, is filled with nonsense such as "We will pursue the harshest penalties possible" against the foreign-based attackers.
https://x.com/coinbase/status/1922967577568985185
Here is the full webpage about the matter: https://www.coinbase.com/en-ca/blog/...-extortionists
Supposedly "less than 1% of customers" had their data stolen. At that point, the hackers phished these customers using the data they had acquired from the theft, and convinced many of them to send their crypto. Once this occurred, the hackers then demanded $20m ransom out of Coinbase, which they refused to pay.
Exposed customer data included name/address/phone #/email, last 4 of social, government ID images (such as driver's license), and entire Coinbase account data.
The hackers were not able to access the Coinbase accounts of these people, because passwords were not compromised. The only customers who lost money were the ones who were tricked into sending out their crypto. Coinbase promises to reimburse these people.
The egregious part of this story is the fact that not only did they hire foreign customer service reps with full access to customer data, but these reps apparently had enough access to copy/paste almost 1% of all customer data to the hackers. This means these reps did have some sort of access to the raw data. It doesn't even have to be this way. They could be restricted to only access data given to them based upon customer input, such as needing an email address of the customer and other personal info to look anything up.
This was a huge hole in security, and has other potential implications. Imagine if you're holding millions or tens of millions in crypto on Coinbase. Do you want some third-world employees being able to look this up, and then contact friends in the US to extort it out of you in some way? The possibilities are endless.
With all the money Coinbase makes, they couldn't spring for US-based reps?
There is just about zero chance anyone here is brought to justice, unless they happen to live within the US, Canada, or an EU country.
:fail
