Update on Coinbase Data Security

Apr 1st, 2014

Despite speculation on a few forums, there has been no data breach of names or emails at Coinbase.  We wanted to take this opportunity to address any concerns.

Specifically with regard to the ‘request money’ feature of Coinbase, it is highly inaccurate to suggest that names or emails were leaked or that there has been a breach.  Our new Director of Security Ryan McGeehan responded accordingly in our whitehat responsible reporting tool.  Here are the high level points:

Requesting money as spam

It is intentional that Coinbase users are able to send invoices to an arbitrary number of email addresses.  Allowing lists to be invoiced is core functionality of our service, and this functionality is intentionally built into our API, which is rate limited:

https://coinbase.com/api/doc/1.0/transactions/request_money.html

This process simply sends an email with a request. It does not initiate any bitcoin transfer without confirmation from the recipient, and would not be any more effective than more traditional phishing methods, which we spend a considerable amount of time preventing.

Email address / user enumeration on Coinbase

It’s important to note that using an email address to determine if someone has an account on a service is the norm across most internet sites today. You’ll find that user enumeration is possible on Facebook, Google, Dropbox, and nearly every other major internet site.

You’ll also find many leading payment services allow user enumeration, including Paypal, Venmo, Square Cash, and many others.  One simply needs to try sending or requesting money using one of these services to an email address to see this in action.  The name of the user or business will be revealed on the next step.

Using user names in our service is an important component in providing a positive and responsive user experience. And to be clear - a sender would need your email address in advance to be able to send you a request for money.

We’ve spent a good amount of time investigating this behavior and we believe that the risks are minor.

Information disclosure of coinbase accounts (first and last name)

For individuals who list a name, our product and Privacy Policy make it explicitly clear that this contact information can be displayed - and in turn, make Coinbase a more human user experience.

We’d also like to address the claim of a “leaked” list of Coinbase emails and user names.  This list (the size of which is less than one half of one percent of Coinbase users) was not the result of a data breach at Coinbase.  This list of emails was likely sourced from other sites - probably Bitcoin related ones.  It’s clear there was no data breach because no other user information is provided.

Conclusion

Though we believe this type of spam and user enumeration activity doesn’t represent a significant risk to Coinbase customers, we absolutely recognize that it can be an inconvenience and cause confusion.  We have already implemented a number of things which make this type of activity less convenient for would-be spammers.  For example, we employ rate limits around sensitive actions, such as requesting money, to prevent them from being abused at scale.  We’re fine tuning this existing rate limiting to make it more restrictive.  To those who have received spammy requests, we apologize.

We are continually striving to make Coinbase as safe and secure as possible for all of our users, and in the coming weeks, we will perform a more extensive overview of the existing controls we have in place to see how they can be improved.

We will continue to update this blog post as more information is made available.  As always, if you have any questions or concerns about the security of your account please visit us at http://support.coinbase.com/ .

  1. salas reblogged this from coinbase and added:
    I’ve been looking for a technical white paper that explains how coin base implements bit coin. In particular, how...
  2. tuckfheman reblogged this from coinbase and added:
    Discussion
  3. edwardmarkets reblogged this from coinbase
  4. coinbase posted this