https://www.sec.gov/ix?doc=/Archives/edgar/data/0001679788/0...

I guess they didn't have as much luck as they wanted scamming Coinbase's customers, and once they had their fun they decided to try extorting Coinbase themselves.

[1] https://www.youtube.com/watch?v=HNziOoXDBeg

Coinbase not only leaked your full name and address, they also gave up your balances, your transaction history, and images of your government identification.

People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom.

"Significant" in this case can be $10k or less.

Until now, your best defense secrecy. Never talk about crypto in public in any way that could be traced to your real-world identity.

Thanks to Coinbase that defense is now gone.

The bad guys can see who has ever had a significant balance on Coinbase (even if they don't right now), whether that balance was sold for cash and how much, or if you've ever transferred tokens off the exchange to a self-custody wallet.

Now the bad guys know who's worth kidnapping for ransom and where you live. For most people, a Google search of your name and home address turns up the names of family members who would would also be lucrative targets for kidnapping and threats of violence.

Coinbase will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company.

https://www.yahoo.com/news/florida-teens-kidnap-las-vegas-20...

Wealth status is often very well known for public figures and entrepreneurs. People are driving around in $200k cars.

Is it due to the liquidity of cryptocurrencies that $5 wrench attacks work better?

Also, a decent proportion of crypto-millionaires came by their riches in... not entirely above-board ways (in particular, securities fraud; all those pump and dump scamcoins are paying off for _someone_), and may be reluctant to involve the authorities. And the crypto industry as a whole is unusually comfortable with extortion; hacked crypto companies paying a kind of bounty to hackers to get the rest of the funds back is a common thing.

This is actually more difficult than it sounds. Most banks and crypto exchanges won't allow a person to make meaningfully large crypto transactions without some account history.

That is simply not going to happen.

This story keeps repeating. Maybe we should try it and see if it works as a deterrent.

Essentially you cannot trust Coinbase IMO, might move the few hundred dollars of BTC out of there :-)

This is the crypto industry, who make the discrepancy between Theranos' claims and practice look conservative.

... and save the data in US cloud where everybody can access it.

It is really funny how FAANG can get away with data colkection in spite of GDPR.

Sounds like an appendix.

This is due to US Government KYC laws that forced Coinbase to associate government identification with all accounts. No crypto company required ID until they were forced to.

Coinbase is the entity that set up this dangerous system.

Coinbase did it because it was cheap for them, not because they were being trustworthy custodians of information that put their customers at risk.

Sure, yes, obviously every company's employees and contractors are vulnerable to bribes and blackmail. That's why a trustworthy, competent custodian would establish systems and controls to prevent bribed and blackmailed insiders from mass-exfiltrating information that could get their customers killed.

The fact that other companies manage to be trustworthy, competent custodians while Coinbase doesn't is not the fault of KYC.

I wonder why, select a person completely at random and by median you'll get just as much from what they have sitting in their checking account. Select a nicer area for an order of magnitude more. That's not encouragement to go assault people in their homes or kidnap families... just confusion.

Crypto? It's wild, and people think it's wild.

The distinguishing parts are things you don't want: easily corrupted, grifted, cheated and otherwise duped.

That's true, finding someone with 10k is not as easy as picking a person at random, but it is as easy as driving to the right parking lot and picking a person at random.

With crypto, no bank or other middleman involved, it's like stealing physical cash/gold/diamonds from someone, if you know they have it in their possession, so violence can be a lot more successful at coercing a change of possession.

Also, people do point guns in people’s faces and force them to pay them via Venmo or Cashapp. Google ‘Venmo robbery’ or ‘cashapp robbery’ for plenty of examples. Pointing a gun in someone’s face for $4M in crypto is a lot more lucrative.

https://support.apple.com/guide/iphone/block-or-avoid-unwant...

Therefore, an unknown number that can be blocked/ignored by your phone or the app is one that doesn't support Caller ID's name or number functions. It doesn't have anything to do with who's in your Contacts app, because of course those consist of known names and known numbers.

If call is spam and ignore spam option enabled, send call to voicemail.

That’s it, a simple line of code. Just make the option selectable and it’s done.

It’s sad because this seems like such a low hanging fruit for a big improvement. At some point in the relatively recent past, they added the indicator of the caller being a spammer or telemarketer. Seems like that would have been a good time to also enhance this filter but it seems nobody ever connected the dots on that one. Or if I’m being even more cynical, some engineer actually decided he’d rather everyone see his work on every incoming spam call instead of his work quietly improving everyone’s experience

The calls are coming from new numbers, across multiple area codes. A few months ago I would have advised using Begone (https://apps.apple.com/us/app/begone-spam-call-blocker/id159...) to block but that only worked since these calls were isolated to blocks of area codes that were pretty safe to block like 888-XXX-XXXX, but now ZERO of these calls are using a fixed area code that would be relative safe to block.

The calls they flag as potential spam and telemarketers has been 100% accurate in my experience so i wish I could just silence those

It’s much better to just silence every spam call manually instead of having to go into voicemail, listen , decide if I need to respond, hope that I’m acting quickly enough that the other person answers when I ring them back, etc. i imagine this works for a lot of people. But if you get enough calls, or get urgent calls for any reason, it’s not ideal.

For those that can’t imagine the use cases. Consider you are primary contact for your elderly parent. If they fall in the middle of the night you might be getting a call from any random number. Do not disturb isn’t an option and sometimes the EMS guys will call you from their personal cell phone. Even some services like home security will call from random numbers. If ask a plumber to come over, some random technician will call from their device to talk. If a potential client gets my number somehow, I’d prefer to answer versus them get my voicemail.

You have to also factor in that a lot of people don’t even like leaving voicemail so they don’t leave one and I’m left guessing if it mattered that

Google's call screening feature picks up the phone before it rings and asks the caller why they're calling. If they actually give a good reason, then it shows you the reason as text and you can decide whether to hang up on them or answer. https://support.google.com/phoneapp/answer/9118387

Same with my Microsoft account actually

I usually just ignore it but I assume someone is testing if my email can be used to login.

And how long has this been at an increased level? Because i'm not buying the coinbase narrative that they thought this was a systemic issue until they were contacted by the 'cybercriminals'.

I was looking through some phishing e-mails the other day out of curiosity and found a weird unicode character mistranslated. Immediately knew it was an artifact of bad translation. So they're not perfect, but they're damn good.

Because people who read the message and think it's professionally written despite the spelling errors have a large overlap with people who will fall for the scam, at least far enough that money is transferred.

.. and are former employees of Coinbase .. oh! just imagining!!

And what that means is that

1) If you lose access to your account (through either your own fault, or coinbases fault) that the process of recovering it may not be so straightforward anymore.

2) Hackers can try to “recover” accounts now using this leaked info.

This is a huge problem. What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)

The only solution here is: hardware 2 factor like yubikeys.

What you've described is the same thing that many Crypto enthusiasts call a "Bank"

One that I'm using does, but I find it extremely annoying when they have me go to a branch to unblock my account that they locked due to a poorly calibrated risk system (that they need due to not supporting actually secure 2FA methods).

It's been ages since I was in college and had an overdraft or some other bs bank related fee, but the bank manages to 'scam' you legally too. I'm just playing devils advocate and sharing an anecdote, I'm minimally involved in crypto anymore.

I guess I can walk downtown to CB HQ, but something tells me I won't get past the front desk.

https://www.nytimes.com/2022/03/06/business/payments-fraud-z...

https://en.wikipedia.org/wiki/Legal_tender

> Except for, you know, being able to spend it where you buy things? [...]

The extent to which you can use it to buy things is a good metric, but I think that comes in varying degrees rather than being a sharp line or binary true/false. There are at least some things you can buy with cryptocurrency, and arguably there are some forms of "regular" (fiat, national, government-issued) money that aren't very widely accepted.

Coinbase would have to make you sign a challenge ahead of time that would mark the wallet as the authorized public key for your account.

People getting locked out of their account (which can happen due to no fault of the user, e.g. by an overly nervous risk system) will be really happy to have to potentially travel to a different city to regain account access...

Fine, make it optional. I actually would love a version of cold storage that is: never release this money unless I personally travel to an office if NYC and authorize it.

And when that’s lost, what do you do? Aren’t you back to account recovery step?

That's just a bank.

I don't think commodity, forex or stock trading is built into any bank interface but I don't have enough money to know for sure.

So it's different in that way I guess.

I don't think anyone claimed that crypto was un-losable or un-stealable. It's not magic.

https://cryptosteel.com

It may not be a crypto-as-a-theoretically/ideologically-pure-construct problem, but it absolutely is a crypto-as-a-real-world-asset problem.

More KYC creates more problems while solving some others. Why didn't the same society despite KYC/AML tackle the problem pointed at in a previous comment? "Florida teens kidnap Las Vegas man, drive him to Arizona desert, steal $4M in cryptocurrency"[1] Why is there this crime?

Without mandatory KYC laws, this particular attack would be near pointless. No name tied to account, bookkeeping doesn't archive wire transaction details for the past 10 years.

Let businesses easily accept cryptocurrency (like... regular cash?), without a blade to their throat held by the government, and the need for such centralization points will greatly diminish. People get in trouble by p2p-exchanging money with unknown peers; in some instances this "trouble" has the unit of "years".

It's in nobodies' interest to protect cryptocurrency payments as the alternative, other than the activists, and the big groups jumping in on it for the speculation purposes - something they had refined decades ago. There's CBDC is on the horizon.

[1]: https://news.ycombinator.com/item?id=43999011

But this attack is already fully pointless with traditional finance. You can't steal someone's bank account at gun point.

Conversely, even without KYC, blockchain based currencies paint a huge target on anyone who uses a small number of wallets to store a large amount of money. Dedicated criminals and even state actors can figure out who owns the wallets by tracking transaction patterns, getting information from vendors, etc. As long as you're actually using your crypto wallets (unlike, say, Satoshi), you can quite easily be tracked. Anyone who you order a pizza from in BTC knows the address of whoever has that wallet. Sure, you can take a lot of steps to protect yourself from it, but it's hard, and one slip-up is all it takes. Opsec is not for the careless.

Also, crypto's reliance on secrets instead of legal personhood to ascertain ownership fundamentally makes it prone to stealing money in this way. Since the money doesn't belong to a legal person, but to whoever knows some secret key, that key can be stolen from whoever has it through simple violence. Even if you're extremely careful not to leak details of your accounts, use XMR for untraceable payments, etc - someone who is physically close to you could see that you're rich and decide to attack just on the chance that you may have crypto, without knowing anything specific.

Every single crypto property I’ve talked to has ended up at a point where they believes that someone cheated them outside the bounds of the system and then look to authority figures to rectify the situation, like the government.

If you are someone who actually believes that crypto transactions should be unmodifiable by any third party then what you said makes sense. I just don’t think that anyone telling me they believe that isn’t lying to themselves at best, and lying to everyone else at worst

So if we want to constrain impact of such attacks, we must make companies keep less data and delete them faster. For example, instead of storing a photo of ID, store just a checkbox that the person showed their ID and it was valid.

This applies not only to cryptocurrency, but to any company like Google, Uber, Amazon etc - if they didn't keep extra data, there would be little value in the leaks.

So the blame is not at cryptocurrency, but on companies not wishing to delete the data and governments demanding them to collect the data not necessary for operation. It's the government and capitalists who create problems out of nowhere.

Doesn't work at scale. You get bribes, rogue employees, socially engineered employees. In the US, look up the articles about phone/SIM unlocks and SIM card copies. Russia has a problem with e-signatures, that most people have no idea about. It's possible to sell somebody's real estate with one of these. Loans granted just based on passport data. Neither politics nor media highlight these issues. Overall in this case your suggestion tries to handle the symptoms of the KYC requirement.

Here's a more extreme treatment: let people change their full legal name at will. Gender's already kinda possible.

Cryptocurrencies are classified, for now, as securities.

Currency is currency and cryptocurrency is not. So please do not attempt to compare apples to oranges here.

https://en.wikipedia.org/wiki/Security_(finance)

If you wish to compare cryptosecurities to other securities, then do that, but don't try to act like it is some sort of future utopian currency.

Is this satire?

Based on the information present in the breach, I think it's likely that the source was their customer support in the Philippines. Monthly salary is usually < 1000$/month (entry-level probably even less than 500$) and a 5000$ bribe could be more than a year worth of money, tax-free. Considering the money you can make with that dataset now, this is just a small investment.

> •Name, address, phone, and email; •Masked Social Security (last 4 digits only); •Masked bank-account numbers and some bank account identifiers; •Government‑ID images (e.g., driver’s license, passport); •Account data (balance snapshots and transaction history); and •Limited corporate data (including documents, training material, and communications available to support agents).

This is every threat actor's dream. Even if you only had email addresses and account balances, this is a nightmare. Instead of blackmailing the company, you can now blackmail each individual user. "Send me 50% of your BTC and I won't publish all of your information on the internet". My guess is that we will have a similar situation like we had with the Vastaamo data breach...

https://en.wikipedia.org/wiki/Vastaamo_data_breach

> blackmail each individual user

Blackmail would be the least of my worries, in France we had at least five kidnappings/attempted kidnappings related to crypto investors since the beginning of the year.

And I guess that includes protection from criminals by the oppressive forces of the State (aka the police). In which case being kidnapped and having your fingers sent to your family is an integral part of your 'freedom'.

All of the victims are likely tax payers. Law and order is a fundamental service that a legitimate state must provide to all in its jurisdiction, even those who are only resident non-citizens and those that pay little to no taxes in a progressive tax system.

Saying crypto isn’t synonymous with anarchy, like the internet isn’t with pornography, sidesteps the point. Pornography is just one use of the internet — not its central purpose.

But crypto wasn’t just built to host financial activity — it was designed to restructure it, removing reliance on central authorities. That core intent isn’t a cliché; it’s a defining feature.

Comparing it to incidental internet content is a rhetorical deflection, not a real counterpoint.

It was designed to solve the double-spending problem with digital currencies, replacing the need for "a authoritative ledger" with a one difficult to forge.

The political project around this was to provide people with a deflationary currency akin to gold, whose inflation could not be controlled by government.

The lack of government control over the inflation of this particular currency, and the lack of an authoritative ledger, are an extremely minimal sense of currency protections (, freedoms). They have as much to do with anarchy as the internet had with porn.

> A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution.

Failed countries (ie: Turkey) rely on the financial system for taxation. Functioning countries shouldn’t care or be bothered by it.

You’re not supporting your central thesis that disintermediating finance is in any way related to removing government — and people using Coinbase, a service that is centralized and does collaborate with government regulation seems to directly counter your stereotype of the customers.

Their point is correct: people who match your fantasy wouldn’t be Coinbase customers — you’re relying on old tropes.

Thanks for the tone-policing. But instead of implicitly suggesting that my mindset or tone is inappropriate, it would be great if we discussed the substance of the points.

Sure, just read the sentence from my response that you skipped over.

To be clear: I didn't implicitly suggest that your mindset of people who use crypto somehow ceding their right to protection from the state was inappropriate, I stated outright that it was a disturbing and callous mindset.

It's like suggesting that people who protest against police brutality shouldn't get protection from the police in emergency situations, or believe people who are racist to healthcare workers should lose all right to healthcare. The type of mindset held by those who care more about retribution against those who hold different views than a just society.

That's what people say, but it's probably not true given everyone leaves their coins on exchanges.

It is possible to make your transactions extremely difficult to trace, but you really, really, REALLY have to know what you're doing.

Law enforcement loves that people think it's easy and cheap to launder money with crypto, though. It's made it vastly easier for them to catch those people!

I see "We wanted to let you know that we detected activity suggesting that information related to your account may have been accessed in a way that did not align with our internal policies." in the email i got this morning

Hopefully companies take this as a lesson about bottom dollar outsourcing your CS.

For those amounts, they could afford to have hired regionally local support agents, and paid them well over industry standard...

Onshoring CS and paying some more for that role may result in a net change of 0 risk (eg. The same possibility of a breach over the same time interval).

Would a lower class (for that region) Alabama man have less the susceptibility to insider risk as a middle class (for that region) Philippino man?

Most likely, the company will focus on better segmentation and better adherence to least permissions for all roles.

Also, your logic is clouded by the fact that you know it happened. In all aspects of security/cybersecurity, risk is incredibly difficult to calculate because you have to accurately know how much a counterfactual would cost in order to accurately choose one option over the other.

I'm sure scammer's got get your phone number from many other sources and data breaches.

If they were Coinbase employees or contractors, that means the company basically sold its own data to hackers, who then turned around and demanded a ransom.

Reimbursing duped customers makes sense, as it seems like they would have a pretty straightforward case to make in court that Coinbase's actions led to their loss.

I'm more curious if someone who feels the need to move, change banks, change their email, hire a security detail etc. could successfully sue the company to recover some or all of those costs.

This seems like a strange interpretation. If an employee at your company, against policy and likely illegally extracts proprietary data and gives it to hackers in exchange for money you can hardly say that "My company sold it's data".

They in turn could go after the perpetrator. If they're using contractors who are cheap, unvetted, untrustworthy or don't carry liability insurance that's their problem and shouldn't excuse them of accountability.

I once applied for a bank position, and they wanted to run a credit check. If you're in a position of handling money, the company has a responsibility to vet its employees. Do I agree with credit checks? Absolutely not, but the point is, Coinbase is partially responsible and that's why they're refunding duped customers.

How far that responsibility goes is up for debate.

When an employee ships a new feature, do you say "My company shipped a new feature?"

They could have designed KYC to minimize long-term storage requirements etc at some cost to what they could enforce, but a government like the US is inherently sloppy with the rights that are reserved for parties besides itself.

At the end of the day it'd be hard for me to continue holding that because, on the balance, we expect companies to keep data private and to not enable illegal activity, not gov't to avoid asking companies to do things, lest they screw up.

For a site such as this the odds aren't in their favor anymore.

Real cop out here, be honest. Why should every single agent have access to your identity documentation (which is only required for KYC) in perpetuity?

https://www.coinbase.com/blog/protecting-our-customers-stand...

> We will reimburse customers who were tricked into sending funds to the attacker due to social engineering attacks. If your data was accessed, you have already received an email from no-reply@info.coinbase.com; all notifications went out at 7:20 a.m. ET on 5/15 to affected customers.

It's fine to send a notification instructing them to visit the secure portal for more info, though. Hence, no-reply.

To contact the company you should go to company website at the address you know (which shouldn't be given in email as well), log in and send a message through internal message system, possibly referring to the email that you recieved through a random code (those can be auto-suggested if they recently tried to contact you by email).

If you do anything else your communication knwowingly mimics communication of a scammer.

Unrequested email should always only be one way communication. Email is too untrustworthy for it to be anything more.

It’s fascinating that we keep creating new technology and then find out that in practice most of it cannot be trusted. Which means it cannot be used for anything serious.

IT revolution is a bit of a failure

Some of these technologies that have been mass adopted because they're easily accessible also have glaring security holes and ways to be exploited built into them. It's a tale as old as time, and I can hardly blame businesses in this specific case (using no-reply addresses.)

I'm curious why no Coinbase Prime accounts were part of the leak (assuming that's what they mean). Is there some sort of additional layer of data protection behind the Coinbase Prime paywall? Or perhaps those accounts were intentionally avoided as they would presumably belong to more savvy users.

[1] https://www.board-cybersecurity.com/alerts/

[2] https://www.board-cybersecurity.com/incidents/tracker/

> and will not pay the $20 million ransom demand we received. Instead we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible

Additionally the email they sent me had the subject “important notice” and that my personal account was affected as the third sentence in a rather wordy paragraph. None of this is ok and this is not a company taking this seriously.

That, and they're reimbursing customers who were tricked.

I’m not usually a huge fan of crypto folks, but I applaud this.

I hope they are serious about paying the reward, and aren’t planning to rug-pull it.

They could always pay it in crypto.

It would also make many Ponzi schemes easier to spot, as they wouldn’t want to contribute.

Yet he's a bit urban edgy here, and the staging is like it's an impromptu social media reaction to some online slight. (though reading a script)

You don't want to go full South Park "We're sorry", but I'd feel better about a response in a business dress shirt, out of respect for wronged customers.

With a bit more humbled posture.

IMHO, you're answering to customers you've wronged, and you don't wear a hoodie to church nor court (nor do you play video games during a live TV interview), nor do you assert superiority over the people you let down.

You can convey respect and humility, while also conveying being capable of responsibly resolving the problem.

(Just one person's reaction. I see some things the video did right, IMHO, but some other things jump out as wondering why they did that.)

https://www.coinbase.com/blog/protecting-our-customers-stand...

It would be so simple to have access tracking and flag or lock out rogue employees... I look forward to seeing what the golden parachutes look like.

https://www.coinbase.com/blog/protecting-our-customers-stand...

That's not how front line support agent access should work. You get access based on active cases you are working on, not the keys to the kingdom because you might need to support a member at some future point in time.

It won't work for 100% of all calls (what if the customer is locked out themselves etc.), but those calls can then be handled by even more closely monitored agents.

"Less than 1% of monthly transacting customers" means up to 1% were accessed – that seems very high, i.e. much higher than the number of customer service contacts I'd expect.

That’s very load-bearing. It won’t help.

The CS reps are based in a LCOL country so the opportunity for theft is simply incredibly lucrative.

What is really needed, is customer-in-the-loop for access to their data. The problem is, not all accesses would make sense. Doing analytics over the data of the top 1% of customers, for example, requires some level of access, but would freak out those customers if they had to approve it.

What about, for example, a higher-tier support person performing QA over someone else’s work? What about DFIR teams doing research on potential abuse? Etc etc.

Yes and their timeline doesn't add up with what they disclosed. If you take the Coinbase narrative, they only believed this was a 'material' issue once contacted by the hackers for a $20m demand, they weren't able to put the pieces together themselves.

The phishing has been elevated for weeks, especially via text message, and their lack of internal controls for access and monitoring are clearly severely lacking.

Using a hardware/"cold-ish" wallet does not protect you from scam calls: https://www.bleepingcomputer.com/news/security/physical-addr...

Apparently "et cetera" includes photos of my ID? Why do they even keep it?

Why not just say what country the are from and how they hired them to start with. It's presented as those sneaky "overseas" people that somehow got access to our systems. This company makes what, a few billions in revenue but they couldn't vet and hire the right people?

Historically, although KYC regulations were widespread in Communist countries, they were unthinkable in most democratic countries until 9/11, which provided spy agencies with their golden chance to write their wishlist into law. But unfortunately that helps foreign spy agencies just as much as, maybe more than, it helps domestic ones.

In https://en.wikipedia.org/wiki/Know_your_customer#Laws_by_cou... you can see when they were introduced in different countries.

Yeah I know eventually these will be linked by some data broker and will meld into the same thing.

But I compare it to using a fingerprint to unlock a password manager on your phone. That ain't KYC.

It's been a bad day.

Correspondingly I'd assume either a) paying the ransom doesn't take it off the market or b) the info they stole isn't that interesting.

Unclear if users whose data was stolen, but did NOT transact in the last month are included in this statistic. Feels like a very intentional phrasing on their part

https://www.coinbase.com/en-gb/blog/protecting-our-customers...

How many people are going to anonymously attack themselves now, just to get a reimbursement!

Corruption in these countries is extremely common. We're used to having a government that actually works in western countries. In these cheaper countries, bribes are routine and almost unavoidable.

Given the culture of corruption and how little the support agents are paid, it was only a matter of time before some bad actor tried to bribe them. Medical bills are expensive and need to be paid, making the agents highly vulnerable to this type of attack.

For many, the choice would be to accept the bribe, or let their sick child suffer from a treatable condition.

Now that a high profile attack has happened, expect copycat attacks from other bad actors.

>On April 12, Coinbase updated their user agreement to take effect TODAY, May 15, with new language about waiving some rights to class action lawsuits and jurisdiction selection.

https://bsky.app/profile/jsweetli.bsky.social/post/3lp7sw647...

Also, "Coinbase had detected the breach independently in previous months", aren't they required to disclose this? In the EU they are: Every EU institution must do this within 72 hours of becoming aware of the breach, where feasible

https://www.coinbase.com/en-de/blog/protecting-our-customers...

    What they got

    - Name, address, phone, and email

    - Masked Social Security (last 4 digits only)

    - Masked bank‑account numbers and some bank account identifiers 

    - Government‑ID images (e.g., driver’s license, passport)

    - Account data (balance snapshots and transaction history)

The world needs to stop pretending that SSNs are secret. They aren't.

[1] https://news.ycombinator.com/item?id=41248104

I don't think that this is still legal under the GDPR.

If hotel staff says "Ok, last step we need to do to check you in is to copy your passport" that would probably neither count as freely given consent nor as keeping data collection to a minimum.

And KYC also does not mean you have to copy the passport of a person.

The bottom line is Coinbase didn't adequately secure sensitive customer information, and it was leaked.

Not, "Gosh, 'overseas' people, what can ya do?"

Without the right details the customer support people don’t get entry into the customers account details.

Banks have been doing this for 30+ years..

“Give a man a gun and he can rob a bank, but give a man a bank, and he can rob the world.”

That there are more options than holding your hands up and arguing the company couldn't have done anything further in terms of implementing effective controls.

The fact that they keep blaming overseas customer support is pure blame shifting - you still hired someone and gave them access to all this data, Coinbase!

If they didn't say this, there would be pitchforks out about not giving enough information.

This is overlooked most places but if you examine around the time the FATF finally pretty much eliminated bearer bonds, bearer stocks, and large bank notes was exactly the time crypto really took off.

You can receive crypto privately to your own wallet without sharing PII, without any exchange.

>Go on LinkedIn

>Look up profiles of people who work at Coinbase

>Contact and bribe them with a burner account

> ...bribed AT&T employees at a call center in Bothell, Washington, to "use their network credentials and exceed their authorized access to AT&T's computers to submit large numbers of fraudulent and unauthorized unlock requests on behalf of the conspiracy and to install malware and unauthorized hardware on AT&T's systems," according to the indictment.

https://abcnews.go.com/Politics/att-employees-bribed-1m-unlo...

> ..install malware and unauthorized hardware on AT&T's systems

That's not as harmless as unlocking phones early. A major carrier that has access to texts, geolocations, and call logs being hacked like that is extremely concerning.

Bank tellers can take thousands out of the vault at any time and yet it seems it’s not a very big issue.

For example at many banks the teller might need to get manager approval for some cash withdrawals, even for seemingly smaller amounts of money. Despite what it may seem, it's not because of some distrust towards the client but a safeguard against internal fraud.

Vannia Chatt: https://6abc.com/post/former-citizens-bank-teller-accused-st...

Karen Farrell Tigler: https://www.irs.gov/compliance/criminal-investigation/former...

Stephanie Rose Kilbert: https://people.com/bank-teller-stole-money-while-pretending-...

Derek Aut: https://www.justice.gov/usao-ma/pr/former-bank-teller-arrest... https://www.usatoday.com/story/news/nation/2025/03/28/boston...

Mountee Brown: https://www.justice.gov/usao-md/pr/maryland-bank-teller-plea...

Being US citizens doesn't make people incorruptible. In fact, many other countries are less corrupt than the US. Someone in this very thread reports having witnessed bank tellers getting bribed in one of those countries: https://news.ycombinator.com/item?id=43996765

I've been through a background check designed to screen out people who were vulnerable to bribery. They interviewed my friends and family from the previous several years to find out if I was secretly gay, cheated on my wife, gambled, drank too much, used illegal drugs, or had money problems for some other reason. It took about a year. I think it would be hard for a financial institution to be economically competitive doing that kind of thing with their call-center workers, because their customers can't tell if they're secure or not, just how much their services cost.

With a lot of this online stuff, no matter who gets your password or access to your account it’s you who has to take care of it. Whereas if the bank teller steals from the till it’s not your problem.

But what about the capital class? How will they afford more yachts? So sad. They're.. um... job creators or something. Anyway, that's what Fox News told me.

alternatively limit the roles and what the offshore people are able to do, but then any escalation means domestic people, which brings us back to "well at that point just use AI to automate easy tasks"

Small set of privileged employees who work from the home office and are compensated to match. If an issue requires their attention, it takes time to resolve. But it's resolved securely. In essence, what Google does.

Alternative is the banking model. Low-cost customer service massively empowered and just eat the costs of breaches as they come.

My multiple banks’ customer service is meh but they do resolve problems and as far as I can tell, haven’t leaked any of my stuff yet in decades. That you think “what Google does” is better than “the banking model” is amusing.

https://www.americanbanker.com/news/call-centers-and-bank-br... "Call centers and bank branches are major fraud liabilities"

https://www.bai.org/banking-strategies/beating-crooks-at-cal... "Aite Group’s findings that 61 percent of fraud can be traced back to the [call] center are equally concerning, as is its prediction that contact center fraud loss will double by 2020."

Practically every company has someone with credentials who is in some combination of debt, a damningly-adulterous relationship, a damningly-illegal substance relationship and/or feels underappreciated or slighted compensationwise. The question is generally how much it costs.

They would have been better off not even bringing up their location if they weren't going to be transparent.

Plus numerous ways to infer your address from other data sources, including apps that grab GPS on friends' cellphones when they visit, etc.

Finally, shutting down paid data brokers seems virtually impossible in practice, which means anybody googling you can pay $20 and get everything.

Remember, the issue isn't lazy goodguys but even slightly motivated badguys, who then use third party scripts to do the data collection.

I bought a house here after a long time out of country and the first year all I got for mail was scam bullshit. Loads of it.

Just jail them. Make it a felony to release someone's PII without their written consent, and make data brokers illegal to begin with.

> numerous ways to infer your address from other data sources, including apps that grab GPS on friends' cellphones when they visit

These are not the main vector of transmission of personal information. Yes, Meta could probably do some graph analysis and infer this, but it's a lot of work, and their data leaks are rare in comparison to all the other companies, financial institutions, and governmental organizations, that freely post residential addresses on the internet and to data brokers for the world to Google.

> companies, organizations and governments that collect it for various reasons

KYC requiring addresses should be banned. Companies should not collect a residential address.

If you sling code for cryptocurrency you and your loved ones are "in the game" now.

https://www.bbc.com/news/articles/c20qee5030do

Update to the Coinbase User Agreement

We are emailing you about an important upcoming update to the Coinbase User Agreement. This update will revise our Arbitration Agreement with you. We made these updates to streamline the process for resolving disputes.

You can read the entire agreement here. The revised terms are in sections 9.9, 9.10 and Appendix 6.

These terms apply only to disputes that you or we initiate after May 15, 2025. The current terms will continue to apply until May 15.

---

What date did this news come out? I see it just happens to be the same date as mentioned in this email, May 15. Coinbase sneakily is trying to prevent their customers from exercising their legal rights. If you work for Coinbase, you ought to be ashamed and quit. If you use Coinbase, remove all your assets immediately.

I'm open to hearing reasons why this is just a coincidence or I'm misinterpreting the situation. Please, go ahead.

It's hard to not believe in Karma sometimes.

Nobody has sole control of their cryptocurrency by definition. It's a consensus protocol. (On a practical level, there are always layers of trust.)

But I've always wondered why people think this is how investment vehicles work. I monkeyed around with stock market bets and even Robin Hood allows you to cash out of your positions.

Are you sure you didn't fall for a scam version?

But they can look the other way about flaws in their Electron client.

Under specific conditions, the client can communicate with malware already on device, save data locally for other software to pick up, or downright stream the decrypted software to a third party.

Most likely is to introduce a flaw in the client that can be used by other walware on the client.

Clearly no red team members on HN these days.

Really, can you possibly tell if your Signal messages were compromised? Now that iPhones aren't really jailbreakable, you can't even see inside your own device.