Crypto ATM operator Bitcoin Depot has revealed that a data breach from mid-2024 exposed the personal information of nearly 27,000 users — a disclosure made more than a year after the incident occurred.
In a notice filed Monday with the attorneys general of Maine and Massachusetts, the company confirmed that 26,732 customers were affected by an “external system breach” that took place on June 23, 2024.
A Bitcoin Depot spokesperson told Cointelegraph that the company delayed notifying users at the request of federal law enforcement, citing an active investigation into the third-party responsible for the breach.
“Law enforcement advised us on June 13 that their investigation had concluded,” the spokesperson said, adding that the company had only recently been authorized to notify those impacted.
The crypto and tech industries remain frequent targets for cyberattacks. In just the first half of this year, hackers exposed more than 16 billion login credentials across various online platforms and compromised user data from the crypto exchange Coinbase in May.
Names and Addresses Exposed, But No Signs of Misuse, Says Company
In its customer notice, Bitcoin Depot stated that the breach exposed names, phone numbers, and driver’s license numbers, and may have also included addresses, birth dates, and email addresses.
“There is no evidence that any customer information has been misused,” a company spokesperson said. “We remain committed to safeguarding our customers’ data and privacy.”
Bitcoin Depot has advised affected customers to monitor their credit reports closely, report any suspicious activity, and consider placing fraud alerts and security freezes with credit bureaus. These measures prompt creditors to take additional steps to verify identity before opening or modifying credit accounts.
Hacker Gained Unauthorized Access to Bitcoin Depot’s Systems
According to a Bitcoin Depot spokesperson, the company detected unusual activity on its network in June 2024 and immediately launched an investigation in partnership with a leading cybersecurity firm.
The investigation concluded on July 18, 2024, confirming that an unauthorized party had accessed files containing personal information of certain customers, as noted in both the spokesperson’s statement and the official customer notice.
While Bitcoin Depot did not disclose additional technical details, it stated that it is cooperating with law enforcement and has implemented enhanced security measures, increased monitoring, and boosted internal awareness to help prevent future breaches.
String of data leaks
Bitcoin ATM operators have been targeted by hackers before. In December, Byte Federal disclosed a data breach that potentially impacted 58,000 customers after attackers exploited a vulnerability in third-party software.
The company said it promptly shut down its platform in response and confirmed that no user funds or assets were compromised.
Similarly, Coinbase reported in May that it had been targeted by malicious actors who bribed third-party contractors to gain access to customer information. The company said it refused a $20 million ransom demand after the attackers leaked user data in mid-May.
