Coinbase's stock (COIN) fell by more than 8% Thursday after two developments raised new questions about the company's controls and regulatory headaches.

First, the US crypto exchange disclosed that cyberattackers had stolen sensitive customer data and threatened to publish it unless the company paid a $20 million ransom.

Then the New York Times reported that the Securities and Exchange Commission still has an open investigation into whether Coinbase misreported user data years ago.

Coinbase said no passwords or private crypto wallet codes had been compromised by the cyberattack and that the data leak affected less than 1% of Coinbase's monthly transacting customers, according to a blog post.

Separately, Coinbase's chief legal officer Paul Grewal shared his response to the New York Times with Yahoo Finance, saying the SEC matter was "a holdover investigation from the prior administration about a metric we stopped reporting two and a half years ago,” adding that "we remain committed to working with the SEC to bring this matter to a close."

The two developments Thursday represented an unexpected setback for Coinbase, the largest US cryptocurrency exchange, following a series of wins this year as the crypto world gained deeper mainstream acceptance on Wall Street and in Washington, D.C.

Last week, the company announced a $2.9 billion acquisition of crypto options exchange Deribit. Earlier this week, Coinbase's stock soared after it was officially added to the S&P 500 index (^GSPC).

"Coinbase joining the S&P 500 means crypto's here to stay," Armstrong said in a Yahoo Finance interview on Capitol Hill Wednesday.

"It's going to be in everybody's 401(k). Everyone's going to have crypto exposure at least indirectly through Coinbase. And it's also a symbol that crypto is updating the financial system," Armstrong added.

On Thursday morning, Armstrong posted a video on X addressing the breach.

He explained that instead of paying the ransom, Coinbase is establishing a $20 million reward or bounty program for information leading to the arrest and conviction of the attackers. He also said the company is planning to reimburse customers affected by the incident.

"No, we're not going to pay your ransom," Coinbase CEO Brian Armstrong said.

"These attackers had been approaching our overseas customer support agents, looking for a weak link, someone to accept a bribe in exchange for sharing some customer information," Armstrong said.

A preliminary estimate of the cost for the incident is "approximately $180 million to $400 million," Coinbase said in a Thursday SEC filing. A spokesperson clarified that the cost is "mostly" for the bounty program and reimbursing affected customers.

The attackers gained control of customer information, including names, emails, physical addresses, phone numbers, and government identification details — including the last four digits of their Social Security numbers — along with some bank account identifiers and snapshots of customer balance data and transaction history.

The news that the SEC still has an open investigation into Coinbase reinforced that the company's regulatory troubles may not be over, even after announcing in late February that the SEC had agreed to drop an enforcement case initiated by former SEC boss Gary Gensler.

Under Gensler, the agency had charged Coinbase with operating as an unregistered national securities exchange, broker, and clearing agency. President Trump replaced Gensler with cryptocurrency advocate Paul Atkins.

The outstanding SEC inquiry that remains open also began during the Biden administration, according to the New York Times. It centers on whether the company misstated its "verified user" numbers in financial disclosures as far back as its initial filing to go public, according to the Times.

Coinbase stopped using the "verified user" metric in 2023. "Based on our evaluation of our Verified Users metric, we do not believe this metric, which is an indicator of the scale of our platform, provides meaningful information related to our business performance," the company said in a February filing of that year.

Grewal, Coinbase's chief legal officer, said the metric was "fully disclosed to the public. We explained that the verified users metric includes anyone who verified their email address or phone number with us, so it may overstate the number of unique customers."

"We also disclosed — and continue to disclose — the more relevant metric of ‘monthly transacting users’ — the number of people who use our platform in a given month."

David Hollerith is a senior reporter for Yahoo Finance covering banking, crypto, and other areas in finance.

Click here for in-depth analysis of the latest stock market news and events moving stock prices

Read the latest financial and business news from Yahoo Finance