On May 15, Coinbase announced that it had been targeted by an extortion scheme that started with a malicious actor convincing overseas customer support contractors to sell Coinbase’s customer support data and provide it to the malicious buyer. While this breach impacted less than 1% of Coinbase’s customers, the set of extracted data was extensive, including:

1. Name, address, phone, and email
2. Masked Social Security (last 4 digits only)
3. Masked bank‑account numbers and some bank account identifiers 
4. Government‑ID images (e.g., driver’s license, passport)
5. Account data (balance snapshots and transaction history)
6. Limited corporate data (including documents, training material, and communications available to support agents)

Gaining access to this data provided the attackers with a rich set of information that they could leverage into additional social engineering attacks, such as manipulating Coinbase customers into making transfers to malicious wallets by using the obtained information to create the appearance of legitimacy.

In general, hackers are always on the lookout for the soft spots in a target. For example, why attack a hardened network when you can easily find an unguarded, open Remote Desktop (RDP) port? Why attack a web property protected with a good Web Application Firewall (WAF) when you can instead attack an equally valuable, unprotected site? 

As many of the best practices for network and host security improve, attackers have increasingly turned to social engineering as the primary vector of attack. According to CrowdStrike, 3 of the top 4 most common vulnerabilities involve social engineering attacks (phishing, spear phishing, credential theft, etc.). While the specifics may vary, the trend is clear: organizations have to account for the fact that vulnerable insiders, whether malicious or not, are susceptible to compromise.

The Shift to Zero Trust

Today there is a growing movement around a concept called Zero Trust Architecture (ZTA). The concept of ZTA is simple: the network can no longer be considered a useful security perimeter as work becomes remote and computing moves to the cloud. In addition, the idea of the network as the boundary of trust is viewed as susceptible to attack because compromised credentials or a single errant click on a well-crafted phishing attempt can have catastrophic consequences. 

Instead of relying on VPNs to try to recreate the network, and instead of expecting perfect security behavior from every employee in the face of a steady stream of phishing attempts, the goal now is to use access control and authorization attached to each sensitive enterprise resource as the mechanism to prevent outsiders from accessing sensitive data and to limit the impact of a single mistake. This limit applies along two dimensions:

• First, by ensuring that a single compromised node - for example, a laptop compromised by ransomware delivered through a phishing email - cannot spread to other company resources, like an AWS server using an SSH key resident on the laptop that has no associated passphrase
• Second, by ensuring that each role in the company is associated with a comprehensive data classification framework so that only highly trusted individuals within an organization have access to highly sensitive data

Coinbase would have greatly benefited from the second principle. It’s hard to see why a customer support agent would, for example, need access to images of a user’s passport, their account balance, or extensive transaction history. That seems well beyond the scope of the role, particularly for an overseas contractor. 

The best data classification schemes are attached to technology that associates the classification with the data directly. Examples include the Information Rights Management (IRM) capabilities built into Google Drive and Microsoft’s Purview product line. IRM technologies encode information rights directly into the data they are protecting. Conceptually, the idea is simple - a document is encrypted, and in order to unlock the encrypted content a user must have a “license” to do so. A license is acquired by authenticating with the IRM service (e.g., Google Drive or Microsoft Entra). Administrators can set policies governing licenses that regulate how often authentication is required, under what circumstances (online vs. offline), and what activities are permitted for license holders. IRM technology also integrates nicely with broader conditional access frameworks that check the disposition of the device and the network before allowing a user to authenticate.

With the underlying technology in place, an organization can then develop a discipline around data classification. Rich APIs from platforms like Microsoft Azure Rights Management allow for data of any type (even plain text files) to be protected with role-based labels. Since data often resides outside of documents and directly in SaaS platforms, it is also important to choose platforms like salesforce.com that offer field-level permissions so that authorization is attached directly to data rather than to a much broader capability of the application. 

In the case of Coinbase, configuring their service management platform to attach elevated permissions to sensitive fields, such as the account balance, instead of allowing all authenticated support representatives to see that information could have rendered the attack far less impactful.

As the Web3 industry seeks to mature beyond the crypto natives, each protocol making that leap will have to adopt the operational security requirements necessary to provide traditional institutions and mainstream investors with the safety assurances they need to invest in DeFi. The financial opportunities may be compelling, but the feeling of entering the Wild West can disrupt that pathway entirely. Learning from the processes and technologies that are considered best practices in the broader security ecosystem is a necessary starting point for providing peace of mind for would-be users, and the Coinbase incident offers an immediate and present lesson: data security matters, and it is time to take action to keep sensitive data safe.