2025 Coinbase Hack: What to Know for 2026

In mid-May 2025, Coinbase disclosed a customer-data security incident that resulted in data being leaked. As we enter a technical bear market in 2026, its likely social engineering attacks using this data will ramp up.

What Did the Hackers Get?

While Coinbase stated that passwords and private keys were not compromised, attackers obtained enough personal information to significantly increase the risk of fraud, phishing, and account-takeover attempts for affected users.

This article explains what happened, why exposure of email and phone number combinations matters, and what practical steps users should take now to reduce risk.

What happened

According to Coinbase’s SEC Form 8-K filed on May 14, 2025, criminals gained access to certain customer data by bribing or recruiting overseas support personnel and abusing internal support systems (not technically a hack).

Coinbase publicly addressed the incident the following day in a post titled “Protecting Our Customers – Standing Up to Extortionists”, stating that it refused an extortion demand and began remediation efforts.

Independent reporting quickly followed, including coverage from Reuters and the Associated Press on May 15, 2025.

What data was exposed

Coinbase stated that the incident did not involve passwords, private keys, or direct wallet access. However, some customers’ personal information may have been accessed, including names, physical addresses, email addresses, and phone numbers. In some cases, masked Social Security numbers, masked bank-account identifiers, or government ID images were also involved.

This type of data is especially valuable for social-engineering attacks, where scammers impersonate legitimate companies or support staff to manipulate victims into handing over access or funds.

Why email and phone number exposure matters

Even without passwords, possession of your email address and phone number allows attackers to run highly effective and targeted attack patterns.

Scammers can send emails, texts, or place phone calls that reference real personal details, making messages appear legitimate. Their goal is typically to trick you into clicking a fake login link, sharing a one-time security code, or approving a fraudulent login prompt.

Attackers also commonly abuse account-recovery flows. Because your email account is the gateway to password resets for most services, criminals may initiate resets and then attempt to trick you into revealing verification codes or approving recovery actions.

If your accounts rely on SMS-based security, attackers may attempt a SIM-swap attack to take control of your phone number and intercept login or recovery codes.

Once email and phone data are known, attackers often prioritize identity “hub” accounts such as Apple ID and Google accounts. Compromise of these accounts can cascade into access to saved passwords, cloud data, backups, and other linked services.

What to do now

A small number of deliberate security upgrades provide the greatest risk reduction.

Start by securing your email account. Change your password to a long, unique password and enable strong two-factor authentication using an authenticator app, passkeys, or a hardware security key. Review recovery email addresses and phone numbers, and check for any forwarding rules or inbox filters you did not create.

Next, move away from SMS-based two-factor authentication wherever possible. For email, banking, crypto, and cloud accounts, replace SMS codes with authenticator apps or passkeys.

You should also lock down your phone number by adding a carrier port-out PIN or transfer lock and requiring in-store ID for SIM changes if your carrier supports it. Unexpected loss of cellular service should be treated as a warning sign.

To reduce exposure further, consider moving high-value accounts—such as financial services, crypto exchanges, and password managers—to a private email address that is not used publicly. At minimum, update recovery email addresses to a less-exposed inbox.

Finally, harden financial and crypto accounts by using strong non-SMS authentication everywhere possible, enabling withdrawal allowlists or address whitelisting, and ignoring any message that urges immediate action or secrecy.

Common scam warning signs

Be cautious of inbound “support” calls or texts you did not initiate, messages that apply pressure or urgency, requests for one-time codes or approval prompts, links asking you to log in instead of directing you to open the app yourself, or instructions to move funds to a so-called “safe” wallet.

Bottom line

The 2025 Coinbase incident is a reminder that personal data exposure changes the threat model even when passwords and private keys remain secure. Email and phone number combinations enable highly targeted scams, especially against financial and identity-hub accounts.

A few focused security improvements—stronger authentication, reduced reliance on SMS, and tighter control over recovery options—dramatically lower risk as we move through 2026.