Coinbase Privacy Breach: What Was Exposed and How to Protect Yourself
A practical guide for Coinbase users, and anyone concerned about their crypto privacy or personal data exposure
You did all the right things, unique password, 2FA, maybe even a passkey, and yet your data still got stolen. How could that be?
Earlier this year, a small group of criminals stole a treasure trove of user information from Coinbase, the largest centralized cryptocurrency exchange in the United States.
The crazy part? They didn’t hack anything.
According to a Form 8-K filed last week, Coinbase disclosed that attackers bribed overseas customer support contractors and gained access to internal tools. As a result, personal data from “less than 1%” of monthly transacting users was compromised.
We could write a whole post (or series?) on the privacy and security risks of outsourcing support to workers overseas. We’ll save that for another day.
Until then, here’s what was exposed in the Coinbase privacy breach:
Names, addresses, phone numbers, and emails
Masked Social Security numbers (last four digits)
Masked bank account details and identifiers
Government-issued ID images
Account data, including balance snapshots and transaction history
Limited internal corporate documentation
The good news? If you’re a low-volume user, it’s unlikely your data was compromised.
The bad news? If you’re a high-value target, this is serious.
The attackers likely focused on whales, users with large transaction volumes. Coinbase Prime users were reportedly unaffected, but everyday high-net-worth accounts were probably the primary target.
And yes, whales are in trouble.
There are real-world physical risks involved here. Just a few weeks ago in Paris, there was an attempted kidnapping involving the family of a well-known figure in crypto. Check out this video.
While getting your identity stolen or your wallet drained is never good, the stakes are even higher with a data theft like this one. The risk morphs from an inconvenience or money loss to physical safety.
Why you should care (even if you don’t use Coinbase or crypto)
You may not hold millions in crypto. You may not even own crypto at all.
But breaches like this affect everyone:
The same phishing tactics will be recycled and reused across platforms
Identity theft tools work in every industry, not just finance
Once data is stolen, it often spreads to third-party data brokers and underground markets
And if you ever open a crypto account in the future, your attack surface is already wide open
Maybe a relative is a heavy Coinbase user
Your personal information (when compromised) can be used to:
Hijack your phone number via SIM swapping
Target you with phishing and social engineering
Steal your identity for fraudulent loans or government benefits
Build a profile using past and future leaks
Expose you or your loved ones to physical danger
No stolen passwords. No stolen crypto. Still not safe.
Based on what Coinbase is telling the public:
Your password wasn’t stolen
Your crypto wallet wasn’t hacked
Your funds weren’t drained
But that doesn’t mean you’re safe because identity data theft is permanent. You can’t change your date of birth, your old mailing address, or the photo on your ID.
With the type of information stolen, attackers can:
Perform SIM swaps to hijack your phone
Guess or reset passwords using credential stuffing
Launch highly targeted phishing scams
Combine this leak with others to deepen your digital fingerprint
Track you using blockchain data and social profiles
What to do if your Coinbase data was exposed
These are practical, high-privacy ROI steps to take today:
1. Watch for targeted phishing
Expect emails or texts pretending to be from Coinbase, Google, Apple, or your bank. Don’t click links. Visit sites directly. Even if your data wasn’t exposed, phishing activity is about to increase. Stay vigilant.
2. Rotate any reused emails
If you used the same email address for Coinbase and other services, it’s time to switch. You have a couple of options. One is to create a couple more “permanent” email addresses. We like using ProtonMail because you can create and manage multiple email addresses from a single login. You can also use an disposable email service like SimpleLogin, AnonAddy, or Apple’s Hide My Email.
In a stroke of good timing, we recently published a comprehensive, first of its kind guide on disposable and secondary email, called The Inbox Firewall. In this guide, we lay out exactly how to efficiently implement a bulletproof email strategy to minimize your risk for incidents like this one at Coinbase.
3. Swap out your phone number
Phone numbers are easy to weaponize. Consider adding a VoIP number for crypto platforms. Avoid SMS-based 2FA, use an app like Ente Auth instead.
4. Review your ID exposure
If you submitted a passport or driver’s license, assume it’s compromised. You may want to request replacements or monitor for identity fraud.
5. Freeze your credit
Even though this breach is crypto-focused, freezing your credit is a smart no-cost way to prevent financial identity theft. It’s fast and free at all three bureaus.
How to protect your privacy on Coinbase and other crypto platforms
These strategies will reduce your risk, regardless of which exchange you use.
1. Always use a VPN
A VPN hides your physical location from crypto exchanges, ad trackers, and your ISP. If you need some help getting started with using a VPN, check out this post from the archives:
2. Minimize how much data you share
If Know Your Customer (KYC) verification is required, weigh the benefit. If it’s not essential, consider a platform that doesn’t collect sensitive documents. This is becoming more difficult as KYC requirements expand beyond even the financial world. Some compromises will be required here.
3. Use aliases for email and phone
Services like SimpleLogin and AnonAddy generate unique email addresses for each login. Combine them with a VoIP number and your accounts become much harder to trace.
4. Use a hardware wallet for self-custody
Long-term holdings belong in cold storage, not on exchanges. Use a wallet like Trezor or Ledger where you control your private keys.
5. Compartmentalize your digital identity
Keep your crypto activity separate. Use a different browser profile, device, or even a dedicated laptop. Repurpose an old laptop, which can run like new with a fresh install of a privacy friendly OS like Linux Mint.
6. Keep a low profile
Never brag online about how much crypto you hold. Don’t share wallet screenshots. Don’t post wallet addresses. This advice applies more broadly than just the crypto space. Privacy starts with staying quiet.
Final thoughts on the Coinbase breach and protecting your privacy
Most people won’t make a privacy move until something bad happens. The Coinbase data theft is your chance to act before that moment comes.
Even if your data wasn’t exposed, even if you don’t own any crypto, this is a rare opportunity to step back and ask:
Am I overexposed on the platforms I use?
Am I relying on convenience instead of control?
Would I be vulnerable if something like this hit my go-to exchange?
The best time to start improving your privacy was before this breach. The second-best time is now. Take this moment to:
Rotate old emails and phone numbers
Lock down your recovery options
Start using aliases today
Get your crypto off exchanges and into your control
You don’t need to fix everything overnight. But if you pick one weak spot and harden it this week, you’re already ahead of most.
💥 P.S. If you found this post helpful, please restack it and share it with your friends, family and audience.
This helps spread the words and keeps us writing content that will help you bolster your privacy and become a harder target.
Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics. We’re also now on Rumble and YouTube. Subscribe today to be notified when videos are published.
Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy attorney with 15+ years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity.
Want to know how your privacy setup really stacks up? We just launched a complimentary privacy and security assessment to help you pinpoint gaps and uncover quick wins. It only takes ~2 minutes and gives you personalized next steps. Limited spaces available - grab your spot here: The Personal Privacy Scorecard 2025
Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.
Check out our Personal Privacy Stack here. It’s a simple, easy way to start De-Googleling your life.
AI scams are here and getting more sophisticated. One of the best things you can do to protect yourself is to remove your personal information from Google and the data broker sites. That starves the scammers of vital information, making you a much harder target. You can DIY, or pay a reasonable fee to DeleteMe to do it for you. Sign up today and get 20% off using our affiliate link here. We’ve used DeleteMe for almost five years and love it for the peace of mind. It’s also a huge time saver.
If you’re reading this but haven’t yet signed up, join the booming Secrets of Privacy community for free (1.8K+ subscribers strong) and get our newsletter delivered to your inbox by subscribing here 👇
The Coinbase must be deemed as a serious breach from the simple stance of bribing employees.
That translates to 2 massive issues from our field and those are called, insider threats and social engineering. I always advocate to use self custody wallets and use DEX's.