One of the most prominent cryptocurrency exchanges on the planet, Coinbase, has found itself in legal trouble after it waited 4 months to alert users of a $400 million security breach. According to a Reuters report, the exchange was notified of a data leak in January, while they did not notify the 69,000 customers until May.
The compromise took place amid a relationship between the exchange and Texas-based outsourcing firm TaskUS. Indeed, the India call center that was employed by the firm was reportedly bribed to leak sensitive data on customers, including names, addresses, and partial social security numbers, according to a court filing.

Also Read: Circle In Talks to Sell as Coinbase & Ripple Emerge as Top Buyers
Coinbase Facing Legal Action for Delayed Notification of Major Data Breach
It has been a massive few months for the Coinbase cryptocurrency exchange. In what is a major achievement for the company, it entered the S&P 500 for the very first time. The landmark development was a key win for the cryptocurrency sector. Moreover, it established the exchange as one of the premiere crypto firms on the planet.
However, it is facing increased scrutiny over a new report that has many questioning its security measures. Specifically, Coinbase is set to face legal action after it waited 4 months to alert its users of a $400 million security breach. Indeed, the company was alerted of compromised data in January of 2025 while not alerting nearly 70,000 users until May 14th.

Also Read: US Government Launches Investigation Into Coinbase
The delayed warning notified investors that the breach could cost anywhere between $180 million and $400 million. In response, they are said to have cut access to contractors while noting misconduct. Moreover, they have committed to enhancing third-party vendor controls.
The exchange could still find itself in major trouble with US regulatory bodies. The US Securities and Exchange Commission (SEC) has strict reporting standards when it comes to data breaches. According to its cyber-incident rule, an 8-K must be filed within eight days of the event.
Coinbase filed the necessary report in May, noting “prior months” of potential data compromises. However, they did not clarify that email correspondence showed the breach took place in January.