Last week, Coinbase (COIN -0.56%) told customers about a security breach in which criminals accessed personal data from around 1% of its monthly transacting users. The popular cryptocurrency exchange estimates the hack could cost it between $180 million and $400 million, per its May 14 SEC filing.

The hackers bribed Coinbase employees abroad so they could access user information on its internal systems. They then demanded a $20 million ransom from Coinbase, which the company refused to pay. Instead, it offered the money as a reward for information that helped to catch the criminals.

Hands typing on a keyboard in a darkened room, numbers in foreground.

Image source: Getty Images.

Coinbase promises to cover user losses

Coinbase says it informed all affected users by email and committed to reimbursing any losses. While the criminals didn't access sensitive data such as passwords, 2FA, or cryptocurrency keys, they did get their hands on significant amounts of personal data. That includes names and addresses, as well as masked Social Security numbers and bank account details.

This gives the hackers enough information to mount targeted social engineering attacks. These can be sophisticated schemes in which criminals use your information to trick you into giving up security codes, logging on to fake sites, or transferring money. For example, they might pose as Coinbase representatives and tell customers to move crypto into a so-called "safe" account.

According to The Block, Coinbase had around 9.7 million monthly transacting users. That means hackers could have accessed the data from around 97,000 users.

Repaying losses is only part of the picture

Coinbase says it will cover any customer losses that result from the hack. It promised to introduce stricter anti-fraud protections, strengthen its security controls, and open a support hub in the U.S. It also fired the employees involved in the incident. However, the attack raises questions about the safety of funds on crypto exchanges.

Indeed, banks can also get hacked. It happened to Santander in Spain last year. Cyberattacks are an unfortunate part of modern living. Even so, banks generally have better security and more consumer protections. Coinbase is choosing to make clients whole, but it doesn't have to.

In contrast, the Electronic Funds Transfer Act (also known as Regulation E) requires banks to reimburse customers for fraudulent transactions. If a bank fails, FDIC insurance protects customer money. Similarly, most top brokerages will reimburse fraudulent losses, and SIPC protection kicks in if the brokerage collapses.

At a time when crypto is becoming more mainstream and the U.S. government is looking at legislation around how bank-like institutions should behave, news of this hack is particularly relevant. Simply put, assets on cryptocurrency exchanges are currently more at risk than those held in banks and brokerage accounts.

How crypto investors can protect themselves

Digital assets are a relatively new asset class, and, unfortunately, that puts a greater onus on investors to keep their assets secure. While you can't do much to stop crypto from being volatile, you can take steps to minimize other security risks.

  • Be alert for phishing and social engineering attacks: Try not to click on links you get via email or text message, even if you think you know the sender. Check the URLs and sender details carefully and look for telltale signs such as a swapped letter or misspelling.
  • Monitor bank statements for fraudulent activity: If there's a chance that hackers have accessed some of your data, check your bank statements for suspicious transactions. It's also worth checking your credit report and considering a credit freeze if you think someone may be able to borrow money in your name.
  • Consider a non-custodial crypto wallet: If you leave your money on a crypto exchange, that platform has custody of your assets, and they are at risk if it gets hacked. If you're worried about leaving your crypto on a centralized platform, investigate the pros and cons of non-custodial wallets. Hardware wallets are kept offline, which makes them harder to hack. Be aware that crypto wallets have different risks, such as a lack of assistance if you forget your password.
  • Buy a crypto ETF: Exchange-traded funds (ETFs) allow investors to add crypto to their portfolios from an ordinary brokerage account. Even better? The fund custodian is responsible for storing the assets safely. The SEC has approved a number of spot ETFs for Bitcoin and Ethereum. There are several applications for other crypto ETFs in the pipeline.

Keep security front of mind

The knowledge that criminals may have accessed your personal data is unpleasant. Crypto investors need to be more conscious of the risks than other types of retail investors. The good news is that there are ways to make life harder for hackers, including setting up your own crypto wallet or buying crypto ETFs.