Coinbase has confirmed an insider breach after a contractor improperly accessed the data of approximately thirty customers, which BleepingComputer has learned is a new incident that occurred in December.
“Last year our security team detected that a single Coinbase contractor improperly accessed customer information, impacting a very small number of users (approximately 30),” a Coinbase spokesperson told BleepingComputer.
“The individual no longer performs services for Coinbase. Impacted users we notified last year and were provided with identity theft protection services and other guidance. We have also disclosed this incident to the relevant regulators, as is standard practice.”
BleepingComputer has learned that this is a newly revealed insider breach and is not related to the previously disclosed TaskUs insider breach in January 2025.
This statement comes after threat actors known as “Shiny Lapsus Hunters” (SLH) briefly posted screenshots of an internal Coinbase support interface on Telegram and then deleted the posts soon after.
The screenshots showed a support panel that gave access to customer information, including email addresses, names, date of birth, phone numbers, KYC information, cryptocurrency wallet balances, and transactions.
It is not uncommon for screenshots and stolen data to be passed around among different threat actors before being leaked or disclosed, so it is unclear whether this group was behind the insider breach or whether other threat actors carried it out.
BPOs under attack
Over the past few years, Business Process Outsourcing (BPO) companies have become increasingly targeted by threat actors seeking access to customer data, internal tools, or corporate networks.
A Business Process Outsourcing (BPO) company is a third-party firm that performs operational tasks for another organization. These tasks commonly include customer support, identity verification, IT help desk services, and account management.
Because BPO employees often have access to sensitive internal systems and customer information, they have become a high-value target for attackers.
In the past year, threat actors have exploited BPOs through bribing insiders with legitimate access, social engineering support staff to grant unauthorized access, and compromising BPO employee accounts to reach internal systems.
As we have seen with Coinbase this year, one way BPOs are targeted is by bribing their employees to steal or share customer information.
Coinbase disclosed a similar data breach last year, later linked to external customer support representatives employed by TaskUs, an outsourcing firm that provides services to the crypto exchange.
Another common tactic is social engineering attacks against outsourced IT and support desks, where threat actors impersonate employees and call BPO help lines to obtain access to internal corporate systems.
In one of the most prominent cases, attackers posed as an employee and convinced a Cognizant help desk support agent to grant them access to a Clorox employee account, allowing them to breach the company’s network. The incident later became the focus of a $380 million lawsuit by Clorox against Cognizant.
Google also reported that threat actors targeted U.S. insurance firms in social engineering attacks on outsourced help desks to gain access to internal systems.
Retailers also confirmed that social engineering attacks against support personnel enabled ransomware and data theft attacks.
Marks & Spencer confirmed attackers used social engineering to breach its networks, while Co-op disclosed data theft following a ransomware attack that similarly abused support staff access.
In response to the attacks on M&S and Co-op retail companies, the U.K. government issued guidance on social engineering attacks against help desks and BPOs.
In some cases, hackers target the BPO employee accounts themselves to gain access to the customer data they manage.
In October, Discord disclosed a data breach that allegedly exposed data from 5.5 million unique users after its Zendesk support system instance was compromised.
While the company did not confirm how its instance was breached, the threat actors told BleepingComputer that they used a compromised account belonging to a support agent employed by an outsourced business process outsourcing (BPO) provider. Using this account, they downloaded Discord’s customer data.
This repeated abuse of outsourced support providers shows how threat actors are increasingly bypassing vulnerability exploits and instead targeting third-party companies with access to corporate networks and data.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.