Coinbase breach: What happened, and what it means for Salesforce security 

In May 2025, Coinbase, one of the world’s largest cryptocurrency exchanges, disclosed a data breach that involved the theft of sensitive customer information, and a $20 million extortion attempt by cybercriminals. While no funds or passwords were stolen, the breach highlights a growing and under-protected threat surface in cloud-based environments: customer support platforms and insider risk. 

This attack wasn’t sophisticated in a technical sense. It wasn’t a zero-day exploit or a brute-force intrusion. It was a breach of trust—leveraging phishing, social engineering, and human compromise at the edges of Coinbase’s trusted support environment. 

A coordinated attack: From phishing to insider breach 

According to Coinbase’s official disclosure, the attack began when cybercriminals targeted third-party customer support contractors employed outside the United States. These individuals had legitimate access to Coinbase’s support tools. The attackers used phishing and social engineering tactics to steal credentials, or in some cases, allegedly bribed support agents directly. 

While Coinbase has not disclosed every technical detail, reports suggest that stolen credentials (whether phished or willingly handed over) allowed attackers to log in to the support system using legitimate sessions. In some cases, attackers may have bypassed or exploited weak multi-factor authentication (MFA) protections. Once inside, they used standard access privileges to search and extract customer data, without triggering traditional intrusion alerts.

Once access was gained, the threat actors exfiltrated customer data, including: 

• Full names 
• Email addresses 
• Phone numbers 
• Masked Social Security Numbers (SSNs) 
• Partial bank account details 
• Account activity logs 

Coinbase confirmed that no passwords, private keys, or actual cryptocurrency funds were accessed or stolen. However, the data collected was still extremely sensitive and could easily be used for downstream fraud or phishing. 

As reported by Cointelegraph, the attackers demanded a $20 million ransom to prevent the public release of the data. Coinbase refused to negotiate and instead offered a $20 million bounty for information that led to the perpetrators’ arrest. 

Customer support: The cybersecurity front line 

Customer support environments have become attractive and exposed entry points for attackers. 

In the Coinbase case, human vulnerability enabled the breach. Rogue support agents with valid credentials and system access were either deceived or willingly participated in data theft. This is a pattern of insider threats: trusted humans inside trusted systems acting maliciously or negligently. 

It is worth mentioning that Coinbase’s support environment did not show signs of excessive permissions or privilege sprawl. The data accessed during the breach, although sensitive, was aligned with what support agents would reasonably need to perform identity verification and basic troubleshooting. In many organizations, such an incident would have exposed far more due to poorly enforced least privilege models.

The rise of the rogue support agent 

Support agents often have broad visibility into customer data, including PII, account history, financial data, and documents, to do their jobs efficiently. 

Outsourcing adds complexity: many support functions are handled by external vendors in low-cost geographies, where direct governance, training, and behavioural monitoring are more complex to enforce. 

Insider collusion is hard to detect: an attacker using a real user account with approved access can fly under the radar of traditional security tools. 

This is part of a broader trend. We’ve seen similar tactics in previous high-profile breaches, including Uber’s 2022 compromise via a support contractor, and other incidents in the healthcare and fintech sectors. 

Support systems are increasingly hybrid spaces, where external users (customers, contractors, third parties) interact with internal systems through shared channels, file uploads, and messaging. Without proper controls, these trusted gateways become perfect attack paths. 

How does the Coinbase breach compare? 

Coinbase’s breach is part of a broader pattern of high-profile attacks targeting cryptocurrency and financial firms: 

• Crypto.com (2022) – Hackers bypassed 2FA to steal over $34M from 483 users.  
• Ledger (2020) – A phishing attack on a support agent led to the leak of 1 M+ customer records.  
• FTX (2022) – Insider misuse of access contributed to catastrophic losses during the collapse investigations. 

The trend is clear: support platforms and privileged access remain critical attack surfaces, especially in fast-moving, cloud-dependent operational environments.

What Coinbase is doing now 

In response to the breach, Coinbase implemented a series of reforms and security upgrades: 

• Launching a U.S.-based support hub to reduce reliance on third-party vendors 
• Introducing scam-awareness prompts and extra ID verification for flagged accounts 
• Implementing enhanced threat detection 
• Partnering with law enforcement to investigate and recover exfiltrated data 

Coinbase’s response has been widely recognized as a standout example of transparent, decisive incident handling. Within days, the company filed an 8-K with the SEC, released a video message from the CEO, and published a detailed public blog post. All synchronized and consistent. This level of coordination reflects not only mature processes but a security-first culture, where teams across the globe took initiative and acted with clarity under pressure. Their ability to act swiftly, terminate involved parties, engage law enforcement, and flip a $20 million extortion attempt into a public bounty campaign reflects an organization with a security-first mindset.

It is good to keep in mind that Coinbase did not suffer from outages in this breach. An organization with critical systems compromised might have made different choices with the ransom.

Still, Coinbase has estimated costs of the breach between $180 million and $400 million. This is a result of remediation costs and customer reimbursements.

In the bigger picture, the breach raises a broader concern for any organization that handles sensitive data in the cloud: Are your support workflows adequately protected? 

What does it mean for Salesforce security? 

Many organizations use Salesforce as the backbone of their customer support operations. Support agents, community users, and customers routinely upload documents, share links, and communicate sensitive details inside the platform. 

While Salesforce is secure by design, it doesn’t natively scan uploaded files for malware or links for phishing, nor does it detect unusual behavioural patterns from compromised or rogue user accounts. This means: 

• Files uploaded via support cases or Experience Cloud portals can deliver malware or ransomware
• Phishing links can circulate within case comments or shared messages undetected  
• Compromised support agent and contractor accounts can perform malevolent actions without triggering alerts 

This creates a blind spot, a vulnerability window that attackers increasingly know how to exploit. These attacks don’t just target large fintechs. You may already be exposed if you rely on Salesforce for support, especially with outsourced or partner-based teams. Do you have the controls to detect and stop a trusted identity from doing untrusted things? 

Detecting & responding to support platform threats 

• Monitor file activities in support cases 
• Set user behavioural alerts
• Enforce multi-factor authentication for all support users (including contractors) 
• Regularly audit contractor access levels 
• Use real-time scanning for uploaded files and shared links 

How WithSecure Cloud Protection for Salesforce can help 

WithSecure Cloud Protection for Salesforce is built to secure the exact kind of environment compromised in the Coinbase breach, where files, links, and sensitive data move between internal teams and external users.  

• Real-time file and URL scanning: This feature automatically analyzes all file uploads and shared links within Salesforce for malware and phishing threats. 
• Sandboxing and AI detection: Suspicious files are detonated in a secure sandbox to detect zero-day or evasive threats that bypass reputational checks. 
• Compliance and visibility: You get full audit trails and data residency options, which are essential for regulated industries and outsourced operations. 

The solution runs natively inside Salesforce, ensuring low latency, high compliance, and seamless protection without moving data outside the platform. 

Why it matters 

The Coinbase breach is a wake-up call for organizations relying on cloud-based customer support and CRM systems. It was not caused by a zero-day exploit, but by trusted humans doing untrustworthy things. It was enabled by weak security visibility and inadequate defences. 

Coinbase’s breach was enabled by precisely the kind of blind spot Salesforce users often face: a trusted interface (support), a trusted identity (contractor), and a lack of real-time threat defence. WithSecure CPSF closes this gap. 

Prevention is the cheapest treatment. If you’re using Salesforce to support customers, primarily through partners or contractors, don’t wait for a breach to expose your security gaps.