What happened
Coinbase has confirmed that an insider breach occurred due to leaked support tool screenshots that contained sensitive account details. According to the report, the screenshots, which originated from an internal support tool used by Coinbase agents, were published online by an unauthorized individual. These images included partial account identifiers and internal metadata associated with user accounts, though Coinbase stated that no wallet keys or passwords were included in the leaked screenshots. The company initiated an investigation after the screenshots surfaced on public forums, confirming that they had been accessed by someone with legitimate internal privileges. Coinbase said it terminated the employee believed to be responsible for the unauthorized disclosure and notified affected users. The incident underscores the risk of privileged insider access being abused to exfiltrate internal materials designed for customer support.
Who is affected
Users whose account details appeared in the leaked support screenshots are affected by the unauthorized exposure of those sensitive identifiers, though Coinbase reported no evidence that funds or passwords were accessed during the incident.
Why CISOs should care
Insider breaches that expose internal support tools and account metadata highlight the importance of governance around privileged access, monitoring of support workflows, and controls on how internal tools are used and audited.
3 practical actions
- Review privileged tool access controls. Identify which internal tools contain sensitive user data and who has access rights.
- Monitor insider activity for misuse. Implement auditing and alerting on internal screenshots and data exports.
- Revalidate support tooling safeguards. Ensure internal support interfaces restrict display of sensitive identifiers.