From the Coinbase website:
https://www.coinbase.com/en-de/blog/protecting-our-customers...
What they got
- Name, address, phone, and email
- Masked Social Security (last 4 digits only)
- Masked bank‑account numbers and some bank account identifiers
- Government‑ID images (e.g., driver’s license, passport)
- Account data (balance snapshots and transaction history)
I also like 'last 4 digits only' as if that's not the most important parts and the part so many places use to validate your identity, the first 5 are just area and group so they're not exactly random.
Everyone's social security number is available. If you go download the leak referring to in this HN post [1], your SSN is certainly in it. Mine was, everyone in my family's was, almost all of my friends' were.
The world needs to stop pretending that SSNs are secret. They aren't.
Does it require the skills of using powershell to open and search? I'm very curious but am not a coder, I do audio and graphic design. That being said I've copy pasted pieces of python, tailored it to my use and made it work.*
I'm just very curious to check for myself and my family.
*hah, here's me making it work https://www.youtube.com/watch?v=PMeRFnkHgBc&t=97s
The world has stopped pretending a long time ago. In my country SSN is public information.
Ah, cool. My name, home address, phone number, social security number, and images of my drivers license and passport as well as what bank I use.
Spy agencies regulating financial institutions (really): https://news.ycombinator.com/item?id=43996848
Who else would verify the user passports if not the customer support staff? Who verifies (and photocopies! in Asia and Europe) your passport at a hotel or car rental office?
A separate KYC department that verifies identity then immediately deletes the images?
When was the last time your passport was copied in Europe?
I don't think that this is still legal under the GDPR.
September 2024
All KYC processes require copying in Europe. There's nothing that's blanket illegal under GDPR. If you have consent you can collect and store whatever you want.
It's not that easy. The consent has to be freely given. And data collection has to be kept at a minimum.
If hotel staff says "Ok, last step we need to do to check you in is to copy your passport" that would probably neither count as freely given consent nor as keeping data collection to a minimum.
And KYC also does not mean you have to copy the passport of a person.
I always thought that the government ID photos were claimed to be wiped out immediately after document verification. Guess not.
The attackers bribed customer service agents to hand over data and documents, they were not breached directly. It's possible this stuff may have been handed over before being destroyed.