A new report reveals that Coinbase was aware as early as January 2025 of the customer data leak, through insiders. Even its outsourcing partner, TaskUs, had even fired the two employees at the beginning of the year for having illegally accessed a customer’s information.
Coinbase knew about the data leak four months before the breach
According to what reported, it seems that Coinbase already knew about the leak of its customers’ data a full four months before the major breach.
In practice, the crypto-exchange had declared in May to the SEC that it was aware of the fact that hackers had accessed employee data “without work necessity” in the “previous months.” Only when Coinbase received the extortion request on May 11, did the USA platform understand that such access was part of a broader violation.
As is well known, the insider employees have been located at its outsourcing partner, TaskUs. The key episode of this affair occurred in Indore, India, where the TaskUs employee was caught photographing the work computer screen with her personal cellphone.
According to five former employees of the company, the woman was involved in an illicit operation of transferring sensitive Coinbase customer data to hacker groups, possibly in exchange for bribes.
The fact is that three of these employees, along with another source informed about the facts, confirmed that Coinbase had been immediately informed of the incident.
This episode then led to an internal investigation that resulted in TaskUs laying off over 200 employees.
Coinbase and the estimated 400 million dollar breach: new doubts
In general, for the violation, Coinbase blamed the “overseas support agents” but also stated that it already knew in January 2025 about the data breach of its clients.
Specifically, Coinbase did not reveal who the other foreign agents were. At the same time, however, TaskUs stated in a release that two employees were dismissed earlier this year after illegally accessing a customer’s information, which it did not identify.
Here’s what TaskUs declared:
“We immediately reported this activity to the client. We believe that these two individuals were recruited as part of a much broader and coordinated criminal campaign against this client, which also impacted a number of other service providers for this client.”
People familiar with the matter confirmed that the client was Coinbase and that the incident occurred in January.
In any case, already last week, it seems that Coinbase filed a lawsuit against TaskUs in the federal court of Manhattan.
Now, however, with the new details and statements from Coinbase, new doubts might arise precisely about the USA platform and its awareness of the data leak of its customers for as long as four months.
In any case, Coinbase has estimated that such a violation could cost up to 400 million dollars.
The class action for alleged violations of the biometric privacy law
In mid-May, Coinbase is under accusation in a class action for alleged violations of Illinois biometric privacy law.
The incident raises profound questions about the management of sensitive data by crypto-exchanges and accuses Coinbase of not having complied with fundamental obligations under the Biometric Information Privacy Act (BIPA), the state regulation in the matter.
In practice, it seems that the group of users claims that Coinbase did not provide any formal notification or informed consent to the individuals involved during its mass collection of facial data.
If such an accusation were confirmed, it could redefine the way all fintech platforms handle one of the most sensitive personal data: biometrics.