Customer Data Leak in India Could Be the Source of December 2024 Coinbase Breach

• The December 2024 Coinbase data breach may involve third-party offshore partners.
• Sources say an India-based employee of a U.S. outsourcing firm could have been at the root of the recently revealed breach.
• A person working for TaskUs was caught using a personal phone to take pictures of the work computer.

The cryptocurrency exchange Coinbase is grappling with the aftermath of a costly and complex data breach, with recent reports confirming a direct link to an Indian-based customer support contractor. Coinbase estimated the breach to cost up to $400 million.

Coinbase confirmed that at least 69,461 customers had their personal and financial data stolen in an extended intrusion that began in late December 2024 and persisted for several months.

According to sources cited by Reuters, Coinbase was made aware as early as January of a customer data leak originating at collaborator TaskUs, a U.S. outsourcing firm with a major center in Indore, India.

The breach came to light after a TaskUs employee was caught using a personal cellphone to photograph sensitive customer data on her work computer in January. The individual, along with at least one accomplice, allegedly supplied confidential Coinbase customer information to threat actors in exchange for bribes.

Company investigators and witnesses quickly escalated the issue, prompting TaskUs to terminate over 200 employees in a rapid mass layoff that drew national attention in India. 

Coinbase, in subsequent disclosures, acknowledged that unauthorized access by other, unnamed overseas support agents was implicated in the data breach.

The revelation raises pressing questions about the timing of Coinbase’s public disclosures. While the company referenced the abuse in a recent SEC filing, it stated that it only recognized the full extent of the threat after receiving an extortion demand on May 11. 

This lag between initial detection and broader acknowledgment points to the structural complexities of managing a distributed support operation and underscores the importance of rapid incident escalation protocols.

TaskUs, for its part, confirmed it had notified the client immediately and attributed the incident to a broader, organized criminal campaign targeting client data across multiple providers.