SEC requires material cybersecurity incidents be disclosed within four business days; state laws often have a 30-day disclosure deadline. It’s not clear if customers outside the US were affected; if so, other disclosure laws may apply.
Security researchers who have spent months trying to call Coinbase’s attention to serious issues at the company are disputing Coinbase’s claims about the timing of the breach. “Threat actors had ongoing access via multiple insiders over a prolonged period of time.”
Those dumpster fires can smolder for a long long time. 🔥 🤷♂️