The Coinbase Employee Data Breach Class Action Lawsuit represents one of cryptocurrency’s most significant insider-threat incidents, affecting nearly 70,000 customers whose sensitive personal and financial information was stolen by a company insider and sold to bad actors. In May 2025, Coinbase disclosed that an employee of TaskUs, its third-party customer service contractor based in India, had systematically stolen customer data starting in September 2024—capturing names, addresses, emails, Social Security numbers, partial bank account details, account balances, and government ID photos from thousands of accounts. Multiple federal class action lawsuits were immediately filed against Coinbase, with plaintiffs seeking damages for negligence, inadequate security measures, and failure to protect customer data from a known insider threat.
This breach stands apart from typical data thefts because it wasn’t perpetrated by external hackers breaking through firewalls—it was carried out by an employee with legitimate system access who exploited her position to photograph customer accounts at an industrial scale. The suspect, Ashita Mishra, allegedly took as many as 200 photos of customer accounts per day and kept records for over 10,000 customers on her personal phone, selling the information to hackers at $200 per record. For affected customers, the fallout has included identity theft risks, unauthorized account access, and the prospect of navigating a protracted legal battle to recover damages.
Table of Contents
- How Did a Coinbase Contractor Steal Data from 70,000 Customers?
- What Personal Information Was Exposed and What Are the Risks?
- Who Was Ashita Mishra and How Did This Become a Criminal Conspiracy?
- How Did Coinbase Respond to the Breach and What Did Security Failures Enable It?
- What Are the Class Action Lawsuits and What Damages Are Customers Seeking?
- The $20 Million Bounty and Law Enforcement’s Role
- What Does This Breach Mean for Cryptocurrency Exchange Security and Third-Party Risk?
How Did a Coinbase Contractor Steal Data from 70,000 Customers?
The Coinbase data breach began in September 2024 when Ashita Mishra, an employee of TaskUs—the outsourced customer service provider handling Coinbase’s support operations—gained access to customer account information through her legitimate job functions. Rather than use that access appropriately, Mishra systematically photographed customer account details from her workstation, exploiting a gap between TaskUs’s security protocols and Coinbase’s oversight of third-party contractor access. Over the course of months, Mishra accumulated data on more than 10,000 customers, storing sensitive information—including full names, home addresses, email addresses, Social Security numbers, bank account details, account balances, and government ID scans—on her personal phone. What made this breach particularly extensive was Mishra’s daily output. Court documents indicate that she took as many as 200 photos per day of customer accounts, suggesting that the data collection was not opportunistic or accidental but rather part of a deliberate, high-volume scheme.
The volume alone should have triggered alerts in a well-managed third-party risk program, yet Coinbase’s monitoring systems apparently failed to detect the pattern. For Coinbase customers, this means their complete financial profiles—information typically guarded under strict regulatory standards—ended up accessible to someone with clear intent to monetize it. The incident reveals a critical vulnerability in how cryptocurrency exchanges manage third-party contractor access. TaskUs operates from India, where Coinbase outsourced customer support to reduce costs. While outsourcing is standard practice across financial services, Coinbase’s failure to implement adequate oversight of contractor systems and endpoint controls allowed a single employee to exfiltrate data at scale without triggering security alerts. This gap between contractor and platform security created the conditions for one of the largest insider thefts in crypto history.
What Personal Information Was Exposed and What Are the Risks?
The data stolen in the Coinbase breach covers the full spectrum of customer identifying information and financial details. Customers’ names, home addresses, email addresses, and phone numbers were among the first pieces of data compromised—the foundational elements for identity theft and social engineering attacks. But the breach went much deeper: attackers obtained partial bank account numbers, cryptocurrency account balances, and photos of government-issued identification documents including driver’s licenses and passports. When combined, this information creates a complete profile that bad actors can use to impersonate customers, file fraudulent account recovery requests, or execute more sophisticated fraud schemes. The presence of government ID photos in the stolen data is particularly concerning.
Unlike passwords or account numbers that can be changed, a photograph of your driver’s license is a permanent identifier. Attackers can use these photos in identity verification processes, potentially bypassing two-factor authentication or account recovery procedures that rely on visual ID verification. The account balance information, while immediately useful for targeting high-value accounts, also puts affected customers at risk for targeted cryptocurrency theft and social engineering attacks tailored to their specific holdings. One critical limitation is that Coinbase has never publicly disclosed whether the compromised data included customers’ two-factor authentication settings or backup recovery codes. If attackers obtained those details along with the ID photos and email addresses, they would have everything needed to take complete control of customer accounts without the account holder’s involvement. Coinbase’s official statements have been vague on this point, leaving customers uncertain about the full scope of the exposure.
Who Was Ashita Mishra and How Did This Become a Criminal Conspiracy?
Ashita Mishra’s role as a TaskUs employee in India should have placed her in a restricted access environment subject to security protocols, background checks, and monitoring. Instead, Mishra leveraged her position to launch what became one of cryptocurrency’s most consequential insider theft operations. She was arrested in January 2025, before Coinbase even disclosed the breach publicly, indicating that law enforcement had been investigating her activities independently. The discovery of her personal phone, which contained data records for more than 10,000 Coinbase customers, provided prosecutors with direct evidence of her systematic approach to data theft. What began as a solo operation escalated into a structured criminal conspiracy. Court documents allege that Mishra enlisted supervisors and team leaders at TaskUs, transforming her personal data-theft scheme into something far larger and more sophisticated.
This expansion suggests that Mishra identified organizational weaknesses and actively recruited others to help scale the operation. For Coinbase, the implication is even more damaging: the breach wasn’t just an isolated rogue employee but rather a systemic failure to prevent collusion among contractors who had authorized access to customer data. The involvement of supervisors and team leaders indicates that people in positions of trust and responsibility chose to participate in the theft. The financial incentive was straightforward: Mishra sold stolen customer data to hackers at $200 per record. With 10,000+ customer records on her phone alone, the potential earnings were substantial—especially in India, where $200 per record represents a significant payment. This pricing structure also suggests that the buyers understood the value of the information and had already identified use cases for it, whether identity theft, account takeover, or targeted phishing campaigns.
How Did Coinbase Respond to the Breach and What Did Security Failures Enable It?
Coinbase’s response to discovering the breach was two-pronged: immediately terminate the relationship with TaskUs and notify affected customers. On May 15, 2025—the same day Coinbase disclosed the breach publicly—the company announced that it was ending its partnership with TaskUs and transitioning to a fully US-based customer support operation. This move addressed the immediate problem but came too late for the 70,000 customers whose data was already in the hands of bad actors. The decision to relocate customer support entirely to the United States suggests that Coinbase recognized the risk of managing sensitive customer data through distant, less-regulated contractor environments. However, Coinbase’s remediation efforts also reveal the magnitude of its security failure.
The company’s SEC filing estimated that the breach and its aftermath would cost between $180 million and $400 million—a massive hit to shareholder value and company resources. This cost includes notification to customers, credit monitoring services, legal fees, regulatory inquiries, and potential settlements. For comparison, many other major data breaches in the financial industry have cost between $50 and $150 million; Coinbase’s estimated remediation cost is substantially higher, reflecting both the sensitivity of cryptocurrency holdings and the number of customers affected. A critical limitation of Coinbase’s response is what it didn’t do: immediately place a hold on account recovery processes for affected customers, implement temporary cryptocurrency withdrawal freezes to prevent unauthorized transactions, or provide a centralized crisis resource. Instead, customers were left to individually secure their accounts and monitor for fraud—a significant burden for less tech-savvy users. Additionally, Coinbase has been sued by customers partly for what it knew and when it knew it; one key question in the litigation is whether Coinbase detected Mishra’s activities and delayed disclosure, or whether its systems were simply blind to the threat.
What Are the Class Action Lawsuits and What Damages Are Customers Seeking?
Within days of Coinbase’s public disclosure on May 15, 2025, multiple federal class action lawsuits were filed against the company. Milberg, a prominent plaintiffs’ law firm, filed suit in the U.S. District Court for the Northern District of California on the same day as Coinbase’s breach disclosure, seeking statutory damages, punitive damages, and monetary compensation for affected customers. By some accounts, at least 13 additional proposed federal class actions were filed against Coinbase related to the same breach, with various law firms representing different groups of affected customers. This proliferation of lawsuits is typical when a large-scale breach attracts multiple plaintiffs’ firms, but it also means that settlement negotiations may be complicated and protracted. Beyond the Coinbase lawsuits, a separate action was filed against TaskUs by law firm Greenbaum Olbrantz for its failure to properly protect customer data and supervise its employee.
This third-party contractor litigation is crucial because it attempts to establish liability at the source—arguing that TaskUs bears responsibility for hiring, training, and monitoring Mishra. The challenge with contractor litigation is that TaskUs may argue it was Coinbase’s responsibility to audit TaskUs’s security practices and that Coinbase failed to do so. In reality, both companies likely share liability, but apportioning it fairly will require the court to examine the contractual relationship between Coinbase and TaskUs. The damages sought in these lawsuits include compensation for identity theft protection costs, credit monitoring, time spent securing accounts and monitoring for fraud, emotional distress, and statutory damages under state data breach notification laws. Some plaintiffs are also seeking punitive damages, arguing that Coinbase’s negligent contractor oversight and delayed response to the breach warrant punishment beyond compensatory damages. However, a significant limitation is that cryptocurrency prices fluctuate, and some customers’ holdings may have increased in value since the breach date, complicating calculations of economic loss.
The $20 Million Bounty and Law Enforcement’s Role
In response to the breach, Coinbase announced a $20 million reward fund for information leading to arrests and convictions in connection with the data theft conspiracy. This bounty was designed to incentivize cooperation from people within TaskUs, law enforcement agencies, or others with knowledge of the conspiracy. The bounty’s existence is notable because it signaled Coinbase’s recognition that TaskUs alone could not be trusted to provide answers and that the company was willing to invest significant resources in ensuring that perpetrators faced criminal consequences. Law enforcement agencies in the United States and India have been actively investigating the breach. Ashita Mishra’s arrest in January 2025—three months before public disclosure—indicates that U.S. federal authorities had independently identified and begun prosecuting the case.
International coordination between U.S. agencies and Indian law enforcement was necessary because TaskUs operates in India and Mishra was located there. The prosecution of this case could establish important precedent for holding contractor employees accountable for data theft in the cryptocurrency industry. However, the reality of international cybercrime prosecution is that it moves slowly. Even with Mishra’s arrest, identifying all members of the conspiracy, locating customers’ data, and preventing its ongoing misuse remains challenging. If the data has already been sold to multiple criminal organizations or used in identity theft schemes, the damage extends beyond Coinbase’s platform into the broader financial system.
What Does This Breach Mean for Cryptocurrency Exchange Security and Third-Party Risk?
The Coinbase breach has accelerated conversations within the cryptocurrency industry about third-party risk management and contractor security practices. Major exchanges have begun reassessing whether outsourcing customer support to international contractors is worth the security risk, especially when handling sensitive financial data. Coinbase’s decision to bring all customer support in-house and terminate the TaskUs relationship was a decisive response, but other exchanges may take different approaches—some investing heavily in security monitoring of contractor environments, others moving support functions domestically.
For the broader fintech and cryptocurrency industry, the breach serves as a cautionary tale about the hidden costs of cost-cutting through outsourcing. Saving money by contracting customer support to lower-cost overseas providers means accepting elevated risk of insider threats, weaker security controls, and regulatory misalignment. The $180-400 million estimated cost to Coinbase almost certainly exceeds what the company would have spent over the same period had it maintained in-house customer support from the beginning. This calculus may shift other exchanges toward keeping sensitive customer interactions and data access within tightly controlled, domestic environments.