A recent Coinbase breach is yet another alarming demonstration of the dangers posed by digital ID systems that centralize vast amounts of personal information. As governments around the world push for legislation requiring individuals to submit state-issued identification to access online services, incidents like this highlight how such policies expose users to escalating privacy threats.
In this case, attackers didn’t need to break through firewalls or exploit obscure technical vulnerabilities. Instead, they simply paid support workers based outside the United States, individuals with authorized access to internal systems, to hand over sensitive customer data. That access allowed the attackers to collect a wide range of private information, including names, phone numbers, addresses, partial Social Security numbers, masked bank details, account records, and images of government-issued IDs like passports and driver’s licenses.
This breach is about more than stolen credentials. It was about the consequences of designing systems that require people to hand over identity documents in order to use digital platforms, systems where one bad actor or one compromised contractor can open the floodgates to millions of users’ data.
Coinbase confirmed that fewer than 1% of its nearly 10 million monthly users were affected, yet the scale of what was exposed makes that figure almost irrelevant.
Once identity documents are compromised, the risk of identity theft becomes permanent. Unlike a password, a driver’s license or passport can’t be rotated or reissued with ease. The fact that this data was stored in a form vulnerable to insider misuse raises deep questions about the wisdom of current digital ID frameworks.
The attackers, according to Coinbase, demanded $20 million in exchange for not releasing the stolen data. The company has refused to pay and is instead offering a $20 million reward for information that leads to an arrest. But for users whose data is now out in the wild, the damage may already be done.
Coinbase is now responding by establishing a US-based support hub and reinforcing its security posture. It also expects to spend up to $400 million on remediation and customer protection. These moves, while necessary, come only after the fact, and do little to address the systemic issue: requiring individuals to submit official identification to use digital platforms creates centralized targets that are too tempting and too vulnerable.
As more laws are introduced around the world mandating digital ID verification for accessing websites, apps, and financial tools, the risks are only growing. The breach isn’t an outlier; it’s a warning sign. A system that demands users give up privacy in the name of security is failing at both.
