Coinbase has confirmed an insider data breach after a contractor improperly accessed customer information affecting approximately 30 users, BleepingComputer reported. The incident occurred in December and was detected by Coinbase’s security team last year.
The company said the contractor no longer performs services for Coinbase, affected users were notified, and identity theft protection and additional guidance were provided. Coinbase also disclosed the incident to relevant authorities.
BleepingComputer reports that this is a new, separate insider breach, not to the previously disclosed TaskUs insider breach from January 2025. The disclosure follows brief Telegram posts by a threat actor group known as “Scattered Lapsus Hunters” (SLH), which shared and then deleted screenshots of an internal Coinbase support interface. The screenshots appeared to show access to sensitive customer data, including names, email addresses, phone numbers, dates of birth, KYC information, and cryptocurrency wallet details.
It remains unclear whether SLH was responsible for this breach or if other threat actors were involved, as stolen data and screenshots are often circulated among multiple groups before becoming public. The same threat actors have previously claimed to bribe insiders at other companies to obtain internal screenshots.
In unrelated news, Solana-based DeFi platform Step Finance has confirmed it was hacked after multiple treasury wallets were compromised, resulting in the loss of roughly $30–40 million in SOL. The breach occurred on 31 January (APAC) due to executive team devices being compromised. Following the breach, the company to temporarily halted some operations. Step Finance said Remora Markets is unaffected, all rTokens remain fully backed 1:1, and about $4.7 million in assets have been recovered so far through security protections and partner coordination.