---

Inside the May 2025 Coinbase Data Breach: Lessons in Insider Risk and Third-Party Security

In mid-May 2025, Coinbase, a major U.S. cryptocurrency exchange, disclosed a significant cybersecurity incident that exposed sensitive data from approximately less than 1 % of its users after overseas support agents were bribed or coerced into granting internal system access to attackers. While funds and private keys were not compromised, personal data such as names, addresses, and partial identifiers were accessed, and the company faced extortion demands of $20 million to avoid disclosure. Coinbase declined to pay, instead opting to work with law enforcement and launch a $20 million bounty for leads on the attackers’ identities. The fallout from this breach is expected to cost the company up to $400 million in remediation and reimbursements—a stark reminder that even well-funded organisations must treat insider risk and third-party access as critical pillars of cybersecurity.

What Made This Incident Serious?

Unlike high-profile breaches involving exploited software vulnerabilities, the Coinbase incident shows how human factors and third-party relationships can be the weakest link. By targeting customer support agents—outsourced staff with privileged access—the attackers bypassed much of Coinbase’s hardened perimeter defenses. Their ability to access internal documentation and sensitive user data underscores an industry-wide truth: attackers increasingly exploit human trust and vendor trust relationships rather than technical holes alone.

Prevention Starts With People

To avoid similar breaches, organisations must treat people as equally important to technology in their security strategy:

• Strict Access Controls: Enforce the principle of least privilege for all users, including contractors and third-party agents.
• Vendor Risk Management: Conduct comprehensive security assessments and enforce security standards across all external partners.
• Zero Trust Identity Verification: Don’t trust access based solely on network location or third-party status; use strong multifactor authentication (MFA) and real-time risk evaluation.
• Ongoing Training: Regularly train all employees and contractors to recognise phishing, bribery tactics, and social engineering that could lead to credential misuse.

Continuous Monitoring & Detection

Organisations must assume that breaches involving insiders are possible and implement continuous monitoring and anomaly detection tools. These can highlight unusual access patterns, lateral movement, or privilege escalations indicative of misuse before an incident escalates into data exfiltration or extortion.

Response and Remediation Best Practices

When a breach occurs, how a business responds can materially affect its legal risk and customer trust:

• Immediate Containment: Disconnect compromised accounts and revoke access for implicated parties.
• Law Enforcement Collaboration: Engage appropriate agencies immediately to support criminal investigations.
• Customer Communication: Be transparent with affected users and offer support, such as identity protection services.
• Post-Incident Review: Conduct thorough reviews to understand root causes and harden defences going forward.

Why Partnering with a High-Quality MSP Matters

A managed service provider (MSP) like Modena360 can help organisations build resilience against insider and third-party threats by delivering:

• Ongoing vendor risk assessments and security posture reviews
• Advanced identity and access management (IAM) deployment, including Zero Trust frameworks
• Proactive monitoring with 24/7 threat detection capabilities
• Rapid incident response planning and forensics support

In an era where attackers exploit human trust as much as software flaws, having expert guidance and robust cybersecurity foundations isn’t just optional—it’s essential.

Ready to strengthen your cybersecurity posture and protect against insider and third-party risks? Contact Modena360 today to learn how we can help safeguard your business from evolving threats with proactive monitoring, advanced identity protection, and rapid incident response.