GPD Holdings LLC, known as “CoinFlip,” is a kiosk and mobile application operator processing over a million transactions since 2015. CoinFlip is also one of the hosts of Bitcoin ATMs, which allow consumers to move cryptocurrency fluidly. A recent cybersecurity event targeting CoinFlip may have exposed consumer information following a data breach.
The consumer notification letter says the breach happened due to a sophisticated social engineering plot; the bad actor succeeded in compromising an employee’s account but lost the permissions within a day.
On August 7th, 2023, the unauthorized party entered the systems using employee credentials. Less than a day later, CoinFlip found and removed the threat, immediately launching an internal investigation. Their investigation concluded on or around September 21st, and CoinFlip began to notify authorities.
The letter doesn’t state if the data belonged to employees or consumers, but the language suggests certainty about the exposure; this leads us to believe that CoinFlip will reliably notify impacted parties in the coming weeks.
The filing on the Maine Attorney General’s Office page indicates that 36,646 people may have had information exposed; however, that number does not reflect the total number of files stolen. Further, since nothing is public about the threat actors, there’s no way to tell what information they want or how they’ll use it.