Certora Weighs In on How Coinbase Could Have Avoided May Data Leak

Coinbase’s May 2025 data leak was a stark reminder that crypto’s scariest exploits don’t always happen in the code of an obscure DeFi application. 

Unlike cold, calculated hacks in programming logic, social engineering exploits our most human vulnerabilities, with nefarious actors playing on our fear and confusion to steal millions of dollars.

Certora, a leading blockchain security firm, argues that centralized exchanges need to be doing more to protect their users. In a recent report, Certora outlines the importance of safe OpSec practices and suggests how Coinbase could’ve prevented the May Data Leak from ever happening in the first place.

Coinbase’s May Data Leak Put 69k Users at Risk

In May 2025, criminals bribed a group of Coinbase’s offshore contractors, acquiring highly sensitive customer data like passports, banking identifiers, and masked social security numbers. 

Coinbase’s initial disclosure indicated that the leak affected less than 1% of its monthly-transacting users. According to the Maine Attorney General’s office, regulatory reporting documents confirm that the incident put as many as 69,641 people at risk of social engineering attacks.

Remarkably, reports indicate that sensitive data was being leaked as early as December 2024. It’s impossible to know the extent of the damage that may have been caused before the breach was discovered on May 11, 2025. Coinbase has since made whole affected customers who were targeted by the criminals and lost funds.

Even if you consider yourself a crypto veteran, you’re still not immune to the damages that data leaks can cause. Solana Labs co-founder Raj Gokal probably didn’t get duped by a social engineering scam, but he certainly didn’t appreciate having his personal information shared across the internet.

What Coinbase Should’ve Done

Certora, a leading blockchain security firm, posits that social engineering is one of the easiest attack vectors available to malicious actors. The unpracticed-but-crypto-curious demographic is low-hanging fruit for experienced scammers. Why try and find chinks in battle-hardened, audited protocols when you can convince someone that you’re a Coinbase employee and “help” them secure their account?

While investors are responsible for educating themselves to a certain level, Certora argues that exchanges need to up their game and “account for the fact that vulnerable insiders, whether malicious or not, are susceptible to compromise.”

Certora champions the growing momentum of an OpSec movement called Zero Trust Architecture, or ZTA. Put simply, ZTA requires teams to stop trusting the “company network” as a safe bubble. Remote work, cloud apps, and rogue phishing make that security perimeter porous and insecure.

Exchanges need to realize that their employees are vulnerable to OpSec blunders, and lock each sensitive resource with its own access rules and checks. Every request is verified and given only the absolute minimum amount of data needed. That way, a single compromised account can’t roam or cause wider damage.

Going back to the Coinbase example, Certora raises a valid point about the access authorities and sensitive data visibility given to overseas contractors. There is no reason why a customer support agent should have access to a user’s passport, let alone their masked social security numbers and comprehensive account history.

The applications of ZTA are not limited to crypto exchanges alone. Any company handling sensitive data in any capacity would benefit from siloing individual nodes to ensure the security of its network.

How to Protect Yourself From Social Engineering Attacks

While Coinbase evidently dropped the ball in this case, individuals are still strongly encouraged to educate themselves on security practices. Even if investors are frightened by the prospect of self-custody, those who store assets in centralized exchanges would still benefit from a few golden, unbreakable rules:

• Distrust inbound contact - No exchange will ever contact you asking for your password, 2FA codes, or seed phrase. Assume anyone asking for this information has malicious intentions.

• Set a withdrawal allowlist - Only enable withdrawals to select addresses that you control and block all others by default.

• Use designated crypto accounts - Use a unique email and contact number for all crypto activity. This reduces the surface area of attack vectors, and hackers can’t easily stitch together enough data to spear-phish or impersonate you.

• Set withdrawal limits - If your account is compromised, this will help to prevent hackers from stealing your assets in one fell swoop. Even a few hours can be the difference between losing everything and locking your account in time.

Crypto’s prolific growth and adoption in 2025 are massively beneficial for the industry. Unfortunately, the influx of millions of new users and investors is a mouth-watering prospect for malicious actors. Exchanges need to lift their game to protect users, or the industry will never overcome the reputational damage caused by security leaks like Coinbase’s recent blunder. 

Read More on SolanaFloor

Prop AMMs are dominating Solana DeFi

HumidiFi Crowned Solana’s Largest DEX by Trading Volume

Crypto Security Essentials