Attending RSA? Reserve your spot at Anzenna’s mixer on April 29—request your invite now.
Attending RSA? Reserve your spot at Anzenna’s mixer on April 29—request your invite now.
Click Here
Login
Request a Demo

June 25, 2025

What the Coinbase Breach Teaches Us About Insider Risk

Ganesh

Categories

In May, Coinbase disclosed a massive breach, one that exposed the personal data of over 69,000 users and could cost the company up to $400 million. The attackers didn’t break through firewalls or exploit zero days. Instead they bribed overseas customer support agents at TaskUs, a third-party provider, to exfiltrate sensitive customer records.1 

The breach is a stark reminder. Insider risk isn’t theoretical —  it’s operational, and it’s increasingly expensive.

When Access Becomes a Liability

The coinbase breach highlights how even indirect insiders like contractors and third-party agents can become a soft underbelly for sophisticated threat actors. For just $2,000, support reps handed over the keys to the kingdom. The hackers didn’t need admin rights or complex malware they just needed someone on the inside. 

With stolen data in hand, the attackers launched a wide scale social engineering campaign impersonating coinbase employees and even attempted to extort the company for $20 million.1 

It’s the kind of breach that security leaders fear most: hard to detect, easy to replicate, and damaging far beyond the initial intrusion.

What was the Root Cause

Everyone’s focused on the $400M in damages, the ransom demands, and TaskUs fallout. But the root cause is deeper. Why did reps have open access to customer data in the first place? Where was the control layer on top of the support system? Why wasn’t rep behavior tied to support ticket volume?

 

From Facebook’s “God View” to the Coinbase breach, the lesson remains that your insider threat starts in the inbox, not the server room.

 

The Coinbase breach wasn’t an anomaly. It was a blueprint

 

Why You Need Anzenna for This Moment

We saw this coming. We built for it. Insider risk isn’t a hypothetical. It’s operational. It’s human. And it’s already inside your org. Anzenna doesn’t wait for the next breach. We see it as it forms — and shut it down before it hits your bottom line. We don’t wait for logs to trickle into a SIEM. We operate in real time at the point of risk with live interventions. Fortify your forensics with our firewall for fraught human behavior.

 

Real-Time Risk Detection

Anzenna agentlessly integrates into your IT and support stack, including custom tools and outsourced systems. We don’t just monitor endpoints or log files. We provide a unified employee-centric view of your organization’s real-time risk posture.

Our platform identifies high-risk behaviors like: 

  • Abnormal access to customer data 
  • Repeated infections, risky installs or shadow IT use 
  • Social engineering patterns across support tickets 

And we do it while users are still logged in. 

The Old Way Looks Back. Anzenna Looks Forward.

UEBA platforms may detect such threats after they unfold, piecing together logs (if you have managed to ingest them)  and anomalies (if you have written rules)  long after data has left the building. But insider threads don’t wait. And neither should your defenses. 

DLP solutions might find data exfiltration via certain means, but in this case the support rep was allegedly taking pictures of the customer data. 

Traditional Insider Risk Solutions are Agent-based and may still not catch such sophisticated threats not to mention the significant setup and support overhead. Do outsourced support reps run IRM agents on their machines? Do traditional IRM solutions prevent the Disney type insider hack where an employee downloaded a fake AI application that stole a bunch of their sensitive data?

Anzenna is a modern insider risk solution that offers real-time risk detection through deep integrations with your IT, support, and custom systems. Whether it’s Salesforce, Zendesk, or an in-house helpdesk tool, Anzenna sees what your users are doing as they do it. 

Instead of relying on passive analytics Anzenna takes action:

  • Block risky applications or sessions
  • Activate targeted training or warnings 
  • Lock access temporarily
  • Disable compromised or complicit accounts 

These aren’t just alerts, they’re built-in levers for automated, precision remediation with a modern AI interface.

With Anzenna, your team doesn’t just get more data. You get control. 

The Real Lesson from The Coinbase Breach

The biggest takeaway from the coinbase breach isn’t about crypto tokens or even support outsourcing. It’s this: modern attacks don’t need to breach your defenses, they just need to bribe your help desk. 

It’s time to move beyond policy enforcement and after-the-fact forensics. Insider risk isn’t an edge case. It’s a top threat vector and it’s one your security stack must actively address. 

Anzenna delivers people-centric protection for a people-powered world because trust alone is no longer a strategy.

Don’t Wait for the Next Headline

Coinbase isn’t alone. From healthcare to fintech to manufacturing, any organization that relies on third-party support or distributed workforces is vulnerable to the same playbook. 

Security tools that wait for unusual behavior to surface aren’t enough. You need a system that knows who’s doing what, where, and why at all times – before a bad actor turns routine access into a multi-million dollar crisis.

Anzenna gives you that visibility, that control, and that peace of mind.

Because the next breach won’t necessarily come from the outside – it might come from within.

What You Can Do Today to Prevent the Next Insider Breach

The Coinbase incident isn’t an edge case. It’s a preview. If your organization relies on distributed support teams, third-party access, or under-monitored internal tools — you’re in the blast radius.

Here’s what your team should do right now:

1. Audit Access to Customer Data

 

  • Identify which users — including contractors and third-party reps — can access sensitive customer records.
  • Remove standing access where it’s not essential. Use just-in-time permissions when possible.

 

2. Instrument Your Support Tools

 

  • Ensure your support platform logs access to customer data, not just ticket activity.
  • Track how many records each rep accesses — and whether those accesses correlate with open tickets.

 

3. Monitor for Behavioral Drift

 

  • Look for patterns that indicate misuse, like reps accessing accounts they weren’t assigned or sudden spikes in data views.
  • Pair behavior with context — was there a reason for the access, or was it opportunistic?

 

4. Test Your Visibility Stack

 

  • Are support tools integrated into your detection and response workflows?
  • If you rely on UEBA or SIEM alerts, verify that logs are ingested completely and continuously — partial visibility is a false sense of security.

5. Deploy Real-Time Insider Risk Controls

 

  • Passive monitoring is no longer enough. Use tools like Anzenna to detect and respond to insider threats as they happen:
    • Flag risky applications and sessions
    • Lock accounts showing signs of compromise
    • Trigger automated warnings or step-up verifications

The next breach won’t wait for your audit cycle. It will happen on a Wednesday morning with credentials that passed every check — except intent.

Anzenna stops breaches before data leaves the building.

Other Related Blogs

The Hidden Danger of Insider Risk: Why Old-School Security Just Doesn’t Cut It

Chinmaya Sharma

June 26, 2025

AI Security 101: What You Need to Know to Take Action

Chinmaya Sharma

June 4, 2025

What is Generative AI in Cybersecurity

Nima

May 16, 2025

Stop Insider Risk with Anzenna

Put your Enterprise on auto-pilot, Anzenna is your one-stop shop for comprehensive coverage and automated remediation without the overhead of agents.

Request a Demo
Try Now

Resource

Company

Legal

Copyright © 2025

Join our newsletter

Keep up to date with everything Reflect