Coinbase says that crooks bribed employees and contractors to steal customer data for use in social engineering attacks in an incident that may cost the crypto exchange up to $400 million to address.
In an SEC filing, Coinbase says customer names, addresses, emails, masked (partial) social security numbers, masked bank accounts numbers, government ID images, account data and some corporate data was stolen. Passwords and private keys were not compromised.
The crooks paid several employees and contractors based outside of the US to abuse their access to customer support systems to steal the account data for a "small subset" of customers, says Coinbase in a blog.
Coinbase says the criminals demanded a $20 million ransom for the data but "we said no".
Instead, it is establishing a $20 million reward fund for information leading to the arrest and conviction of those responsible for the attack.
Any customers that were tricked into sending funds to the attackers will be reimbursed, which, along with remediation costs, will come with a price tag of between $180 million and $400 million.
Meanwhile, Coinbase is working to trace the stolen funds, cooperating with law enforcement, adding extra ID checks for flagged accounts, and opening a new support hub in the US.