Home / Crypto / Learn / 10 Crypto Companies Who Suffered Major Data Leaks
Learn 8 min read

10 Crypto Companies Who Suffered Major Data Leaks

Key Takeaways

  • Crypto companies that suffered major data leaks include Coinbase, Ledger, and OpenSea, where millions of records were exposed, mostly customer contact information and IDs.
  • These companies collect personal data such as emails, addresses, and IDs, which creates exposure risks despite the blockchain’s anonymous transaction design.
  • These leaks fueled large-scale phishing campaigns, identity theft risks, and lawsuits, affecting trust in crypto companies and their vendors.
  • Companies responded with tighter security measures, investigations, and public warnings, stressing that funds remained intact despite exposed personal data.

When most people hear the word blockchain, the first thought is blockchain anonymity. The system records transactions without attaching names or addresses, which has always been part of the appeal. Yet anyone who has ever opened an account at a crypto exchange, signed up for a wallet service, or bought an NFT knows something different.

These companies are centralized businesses, and they often ask for a great deal of personal information. An email address may be the minimum, but many have KYC requirements that include verifiable names, phone numbers, or full government-issued identification for verification.

This creates an unusual tension. The technology is built for privacy, but the companies that act as gateways hold troves of personal data. And when those companies fail to protect the data, the impact can ripple far beyond crypto.

Below are ten examples of major data leaks that struck well-known cryptocurrency firms.

10 Crypto Companies Who Suffered Major Data Leaks

Company Location Type of Company Data Leak Year
Coinbase United States Crypto Exchange 2024–2025
Ledger France Hardware Wallet Provider 2020
Liquid Japan Crypto Exchange 2020
KeepChange International (Bitcoin Marketplace) P2P Trading Platform 2021
Celsius United States Crypto Lending Platform 2021
HubSpot Vendor Breach United States CRM Provider (affecting multiple crypto firms) 2022
OpenSea United States NFT Marketplace 2022
FTX & BlockFi via Kroll United States Exchange & Lending Platform (bankruptcy claims) 2023
BTC Markets Australia Crypto Exchange 2020
CoinGecko Singapore Market Data & Analytics 2024

Coinbase

Coinbase is one of the largest and most regulated centralized exchanges in the United States. In late December 2024, rogue overseas support agents working for Coinbase were bribed to access customer support records. The cybersecurity breach went undetected for several months and was only discovered in May 2025.

The attackers viewed a wide set of personal information. It included names, home addresses, phone numbers, masked Social Security digits, bank account details with only partial numbers visible, government ID images, account balances, and transaction histories. Login credentials and private keys were not compromised.

Roughly 69,500 people, or about 1% of Coinbase’s customers, were affected. Coinbase estimated the cost of reimbursements and remediation at between $180 and $400 million. The company declined a $20 million ransom demand from the attackers and instead offered the same amount as a bounty for information leading to their capture.

Several class-action lawsuits followed, and the Securities and Exchange Commission began reviewing Coinbase’s handling of the breach. Despite the scale of the incident, Coinbase emphasized that all funds remained safe, and it committed to covering phishing-related losses for impacted customers.

Ledger

Ledger sells hardware crypto wallets that store private keys offline. In July 2020, attackers exploited a misconfigured API from a third-party service to access Ledger’s marketing database.

Nearly one million customer email addresses were exposed in the hack. For around 9,500 users, additional details such as full names, phone numbers, and mailing addresses were also compromised. Later leaks suggested the number of personal records may have been closer to 272,000.

The data did not include private keys or wallet balances, but the information created a fertile ground for phishing campaigns. Customers began receiving fraudulent emails that looked like official Ledger communications.

Ledger responded by disabling the compromised API key, hiring a new Chief Security Officer, and working with law enforcement agencies, including France’s data protection regulator. The company also built an internal team focused on identifying and taking down phishing websites.

Liquid

Liquid, based in Japan, experienced a breach in November 2020 after attackers gained control of its domain records through a hosting provider. The attackers accessed internal email accounts and infiltrated parts of the company’s infrastructure.

Liquid confirmed that customer emails, names, addresses, and encrypted passwords were exposed. The company also investigated whether scanned identity documents had been accessed. Fortunately, Liquid’s multi-party computation wallets protected funds, and no cryptocurrency was taken.

After regaining domain control, Liquid advised all customers to reset their passwords and strengthened monitoring of suspicious activity. The company treated the breach as a serious warning about dependencies on third-party domain providers.

KeepChange

KeepChange was a smaller Bitcoin marketplace focused on peer-to-peer trading. In February 2021, hackers breached the platform’s control systems but failed to withdraw any Bitcoin due to internal security mechanisms.

Although funds remained intact, the attackers exfiltrated sensitive data. This included user emails, names, trade counts, cumulative traded amounts, and hashed passwords. The company required all customers to reset their passwords and temporarily paused withdrawals.

KeepChange added new protections, such as two-factor authentication and login guards. The event showed how even relatively small services hold data that attackers view as valuable.

Celsius

Celsius, the lending platform that later entered bankruptcy, faced a data incident in April 2021. Hackers infiltrated a third-party email distribution system used for sending customer communications.

The attackers sent fraudulent messages to users. Some of these messages also reached phone numbers, raising questions about how that contact information was obtained. Celsius confirmed that a partial customer email list had been exposed, which the attackers used for social engineering.

The company reported the incident to authorities and advised users to remain vigilant. While funds were unaffected, the breach added to growing concerns about the company’s overall operational risks.

HubSpot Vendor Breach

In March 2022, HubSpot, a major customer relationship management platform, disclosed that attackers compromised an employee account and accessed data belonging to around thirty crypto clients. Those clients included BlockFi, NYDIG, Circle, Swan Bitcoin, and Pantera Capital.

The exposed information was limited to names, emails, and phone numbers. No login credentials or funds were involved. Still, the scale was broad since HubSpot serves as the marketing database for many large firms.

Each affected company confirmed that customer assets were safe, yet many warned their users about a wave of phishing attempts that followed. HubSpot immediately revoked access for the compromised account and strengthened its internal controls.

OpenSea

OpenSea is the largest NFT marketplace in the Web3 ecosystem. In June 2022, it disclosed that a contractor at its email service provider Customer.io had leaked user email addresses to an external party.

The leak contained only email data, but the risk of targeted phishing grew considerably because OpenSea’s user base was expanding quickly at the time. Attackers soon sent fraudulent messages urging users to connect wallets or share seed phrases.

OpenSea warned customers to verify all official communications, listed approved email domains, and worked with Customer.io to end the leak.

FTX and BlockFi via Kroll

During the bankruptcy proceedings of FTX and BlockFi in August 2023, their court-appointed claims agent, Kroll, experienced a breach. Attackers accessed “non-sensitive” data from bankruptcy claimants, including names and contact information.

The companies assured users that account credentials and funds were not exposed. However, many affected customers reported receiving phishing emails that attempted to mimic official bankruptcy communication.

Kroll contacted impacted individuals and worked with both companies to contain the issue. Given the ongoing bankruptcy cases, the breach highlighted how even administrative vendors can create exposure for millions of users.

BTC Markets

BTC Markets is one of Australia’s oldest exchanges. In December 2020, the company sent a marketing email to more than 270,000 customers. A staff error placed all addresses in the visible “To” field instead of the blind copy field.

Every recipient could therefore see the names and email addresses of up to one thousand other users. No passwords, transaction records, or funds were involved, but the scale of exposure created an immediate risk of targeted phishing.

BTC Markets quickly acknowledged the mistake, reported it to Australia’s Office of the Information Commissioner, and launched an internal review. While the incident did not involve a hack, it highlighted how simple operational errors can compromise large volumes of personal data.

CoinGecko

In June 2024, CoinGecko identified a breach at a third-party email marketing service it relied on.

  • An attacker gained access to a staff account and exported almost 2 million contact records.
  • The data contained names, email addresses, internet protocol addresses, geographic locations, signup dates, and subscription details.
  • The attackers later attempted phishing campaigns using the stolen list.

CoinGecko confirmed that account passwords and financial records were not touched. Still, the scale of the leak reminded users that even information stored for marketing can become a target for crypto scams.

Closing Thoughts

Data leaks in crypto highlight a paradox. The blockchain itself may remain secure, but the services built around it often need personal information to function. The crypto companies that suffered major data leaks show how vulnerable these centralized systems can be. Every time a user hands over an email address, a scanned passport, or a phone number, that data becomes part of a database that must be protected with the highest care.

As adoption grows, the lesson becomes even sharper. A blockchain may offer anonymity, but the gateways to it are run by businesses that handle data like any other financial institution. Protecting that information is not an afterthought but an essential promise to the communities that trust them.

Was this Article helpful? Yes No
Thank you for your feedback. 0% 0%