#33: Coinbase Insider Risk, Silent Logins, and Instant Access for Attackers
From Coinbase’s breach fallout to stealthy government logins and browser-based account takeovers, the real threat isn’t just access-it’s how little friction attackers face once they’re in.
Let’s get into it.
NATE'S TAKE - MAY 27, 2025
Top Three This Week
- Coinbase Breach Tied to Rogue Support Agents and Exposed Customer Data
- Mysterious Logins From Inside Governments and Big Tech Raise Eyebrows
- Meta and PayPal Accounts Vulnerable to Instant Session Hijack
1. Coinbase Breach Tied to Rogue Support Agents and Exposed Customer Data
Coinbase has confirmed a data breach involving rogue overseas support agents, leading to the exposure of sensitive customer data but not account access. The breach is now under investigation by the U.S. Department of Justice, following a ransom demand of $20 million from the attackers.
What happened:
- On May 11, Coinbase received an email from an unknown actor claiming access to internal documents and some customer account information.
- The company refused to pay the ransom and instead offered a $20 million reward for information leading to the hackers.
- Coinbase said attackers did not gain access to passwords, 2FA codes, private keys, or customer funds-but they did access personal and financial data for a subset of users.
Coinbase said it is reimbursing users who were tricked into sending funds to scammers as a result of the breach before May 15. The company has also announced it will open a new U.S.-based support hub and implement additional safeguards.
Users are being warned to watch for phishing attempts or scammers posing as Coinbase staff. The company emphasized it will never ask for seed phrases or wallet transfers over phone or text.
While no customer wallets were accessed and trading infrastructure was not compromised, the breach underscores how third-party insider risk continues to be a serious vulnerability, especially in crypto. Coinbase expects the financial impact of the breach to be between $180 million and $400 million.
2. Mysterious Logins From Inside Governments and Big Tech Raise Eyebrows
According to Wired, researchers are tracking a disturbing pattern: unauthorized logins to sensitive databases and systems, often coming from IP addresses linked to government agencies, law enforcement, and tech companies.
These logins were spotted targeting social media monitoring tools, public data aggregation platforms, and other open intelligence resources. And in many cases, the individuals accessing them weren’t supposed to have that level of access-or weren’t authorized at all.
Researchers have not confirmed whether these logins are insider misuse, compromised credentials, or spoofed access, but the pattern is consistent and worrying. Some attempts were traced to law enforcement offices in the U.S. and Europe, while others appear tied to contractors or unknown individuals operating within big tech infrastructure.
For fraud teams, this story is a warning shot: privileged access must be monitored constantly, and signals from device, location, and journey context are essential to catch misuse in real time.
3. Meta and PayPal Accounts Vulnerable to Instant Session Hijack
A new, real-world session hijack vulnerability can give attackers instant access to PayPal and Meta accounts, no password or 2FA required.
The attack works like this:
- If a user clicks on a malicious link while logged into their PayPal or Meta account, the attacker can capture their authenticated session token.
- With that token, the attacker can immediately log in as the victim-bypassing all authentication and skipping the login screen entirely.
- The issue stems from how session tokens are stored and reused across browsers and devices, particularly in phishing and social engineering scenarios.
Cybersecurity experts cited in the article say the threat is real and actively being exploited. Both Meta and PayPal have acknowledged the issue and are working on mitigations, but users are currently vulnerable if they’re logged in and click a malicious link.
Fraud teams need to treat session behavior like login behavior: monitor it, analyze intent, and be ready to revoke access if things don’t look right.
===
That’s all for this week! For more insights, follow us on LinkedIn or X, and if you want to learn more about what we do, visit www.specprotected.com.
Ready to get started with Spec?
Nate Kharrl, CEO and co-founder at Spec, has built leading solutions for application security and fraud challenges since the early days of the cloud era. Drawing from his cyber experience at Akamai, ThreatMetrix, and eBay, Nate helped found Spec to focus on the needs of businesses operating in a landscape of increasing AI risks. Under Nate’s leadership, Spec grew from its mid-pandemic founding to raise $30M in venture-backed funding to build solutions used by Fortune 500 companies transacting billions in online commerce. Spec’s service offerings today include protective measures for websites and APIs that specialize in defending against attacks designed to bypass bot defenses and risk assessment platforms.
Frequently Asked Questions
“With Spec, we can mitigate fraudulent activity, protect our revenue, and create a better user experience so that Indiegogo can remain a trusted crowdsourcing platform.”
Payments Manager
