Despite speculation on a few forums, there has been no data breach of names or emails at Coinbase. We wanted to take this opportunity to address any concerns.
Specifically with regard to the ‘request money’ feature of Coinbase, it is highly inaccurate to suggest that names or emails were leaked or that there has been a breach. Our new Director of Security Ryan McGeehan responded accordingly in our whitehat responsible reporting tool. Here are the high level points:
Requesting money as spam
It is intentional that Coinbase users are able to send invoices to an arbitrary number of email addresses. Allowing lists to be invoiced is core functionality of our service, and this functionality is intentionally built into our API, which is rate limited:
This process simply sends an email with a request. It does not initiate any bitcoin transfer without confirmation from the recipient, and would not be any more effective than more traditional phishing methods, which we spend a considerable amount of time preventing.
Email address / user enumeration on Coinbase
It’s important to note that using an email address to determine if someone has an account on a service is the norm across most internet sites today. You’ll find that user enumeration is possible on Facebook, Google, Dropbox, and nearly every other major internet site.
You’ll also find many leading payment services allow user enumeration, including Paypal, Venmo, Square Cash, and many others. One simply needs to try sending or requesting money using one of these services to an email address to see this in action. The name of the user or business will be revealed on the next step.
Using user names in our service is an important component in providing a positive and responsive user experience. And to be clear - a sender would need your email address in advance to be able to send you a request for money.
We’ve spent a good amount of time investigating this behavior and we believe that the risks are minor.
Information disclosure of coinbase accounts (first and last name)
We’d also like to address the claim of a “leaked” list of Coinbase emails and user names. This list (the size of which is less than one half of one percent of Coinbase users) was not the result of a data breach at Coinbase. This list of emails was likely sourced from other sites - probably Bitcoin related ones. It’s clear there was no data breach because no other user information is provided.
Though we believe this type of spam and user enumeration activity doesn’t represent a significant risk to Coinbase customers, we absolutely recognize that it can be an inconvenience and cause confusion. We have already implemented a number of things which make this type of activity less convenient for would-be spammers. For example, we employ rate limits around sensitive actions, such as requesting money, to prevent them from being abused at scale. We’re fine tuning this existing rate limiting to make it more restrictive. To those who have received spammy requests, we apologize.
We are continually striving to make Coinbase as safe and secure as possible for all of our users, and in the coming weeks, we will perform a more extensive overview of the existing controls we have in place to see how they can be improved.
We will continue to update this blog post as more information is made available. As always, if you have any questions or concerns about the security of your account please visit us at http://support.coinbase.com/ .