Coinbase (NASDAQ: COIN) data leak could cost the company $400 million

On Thursday, Coinbase (NASDAQ: COIN) disclosed a cybercide-attack involving the theft of internal data and customer information, with a potential financial impact ranging from $180 million to $400 million.

The company said it refused a $20 million extortion demand and is working with law enforcement to investigate the incident.

Coinbase described the incident as an “extortion attempt,” which is said to have started when criminals bribed overseas support contractors to extract internal data affecting less than 1% of monthly transacting users. Coinbase confirmed that its systems were not broken into via technological means, but rather via humans.

The attackers reportedly obtained names, addresses, and phone numbers, as well as masked Social Security and bank account information, government ID images, and account data.

Coinbase emphasized that the attackers did not gain access to passwords, two-factor authentication codes, private keys, or customer funds.

“Instead of funding criminal activity, we have investigated the incident, reinforced our controls, and will reimburse customers impacted by this incident,” the company said.

Coinbase said it traced the improper access to individuals hired for support roles outside the United States, whose activity had already triggered internal security alerts in prior months. Those employees were terminated immediately.

Coinbase said it will reimburse any eligible customers who mistakenly sent funds to scammers posing as Coinbase agents and has launched a $20 million reward fund for information leading to the attackers’ arrest and conviction.