Coinbase Faces Multiple Lawsuits Over Massive Customer Data Breach

Key Highlights

• Coinbase hit with at least six lawsuits following a major data breach involving bribed customer support agents.

• User data including names, SSNs, emails, and bank info was compromised, sparking widespread legal action.

• Plaintiffs claim Coinbase’s security safeguards were inadequate and that its response was delayed and ineffective.

• One lawsuit demands Coinbase purge all sensitive user data and hire third-party cybersecurity auditors.

• Coinbase declined to comment on the lawsuits, but acknowledged the breach and refusal to pay a $20M extortion demand.

Lawsuits Pour In After Insider-Driven Breach

Coinbase, one of the world’s largest cryptocurrency exchanges, is now the target of at least six lawsuits filed between May 15 and 16, following revelations that cybercriminals bribed several customer service agents to leak internal access credentials.

In a May 15 disclosure, Coinbase revealed that the attackers accessed sensitive customer data — including names, addresses, emails, phone numbers, last four digits of Social Security numbers, bank account details, driver’s licenses, passports, and even transaction histories.

Users are suing Coinbase, alleging the exchange failed to protect their sensitive data. Source: PACER

The breach, Coinbase said, led to a $20 million extortion attempt, which the company ultimately refused to pay.

Key Allegations: Lax Security and Mishandled Response

In one of the lawsuits filed in New York federal court on May 16, plaintiff Paul Bender accused Coinbase of failing to “implement and maintain reasonable security safeguards,” which he claims exposed users to severe and ongoing risks of identity theft and financial fraud.

“Users were not promptly or fully informed of the compromise,” the complaint reads. “Coinbase did not immediately take meaningful steps to mitigate further harm.”

The lawsuit also criticizes the exchange’s lack of identity protection services, guidance for affected individuals, and transparency in its handling of the breach.

Widespread Legal Action Across States

• Two other lawsuits in New York echoed the same accusations of negligence and poor incident response.

• A fourth suit added a charge of unjust enrichment, arguing that Coinbase cut corners on data security spending to boost profits.

• A fifth lawsuit in California asked the court to compel Coinbase to purge all sensitive data it holds on users and hire third-party security firms to audit its systems.

• All plaintiffs are seeking monetary damages and further protective measures for users.

Fallout and Coinbase’s Response

Coinbase did not issue a direct statement on the lawsuits, instead pointing to its official blog post addressing the breach. In it, the company reaffirmed its refusal to pay the ransom and announced plans to reimburse victims of phishing scams linked to the incident.

Coinbase has climbed even higher following the data breach. Source: Google Finance 

In a filing with the U.S. Securities and Exchange Commission, Coinbase estimated that reimbursement costs could range from $180 million to $400 million.

The exchange has reportedly terminated several India-based customer support agents suspected of involvement in the scheme.

Market Reaction and SEC Scrutiny

Following the breach announcement and related news of an ongoing SEC investigation into its 2021 user data disclosures, Coinbase (COIN) shares fell 7% to $244. However, the stock rebounded 9% to close at $266 on May 16, according to Google Finance.

Final Thoughts

The legal and regulatory pressures now facing Coinbase underscore growing scrutiny over how major crypto platforms manage user security and data privacy. As investigations continue and lawsuits unfold, the company’s risk management policies — and the consequences of insider threats — are likely to remain in the spotlight.