On Tuesday morning, a link submitted on the popular social sharing website Reddit.com, which linked to Pastebin, displayed the email addresses and full names over over 2,000 individuals, raising concern that there was a data breach at some level at bitcoin brokerage Coinbase.
The San Francisco-based company has taken to their official blog to address the matter today.
This list (the size of which is less than one half of one percent of Coinbase users) was not the result of a data breach at Coinbase. This list of emails was likely sourced from other sites – probably Bitcoin related ones. It’s clear there was no data breach because no other user information is provided.
Many in the community became concerned when on Monday, developer Shubham Shah released a full disclosure on what he suggested was a security vulnerability at Coinbase, allowing attackers to obtain the full names and emails of Coinbase customers. This so-called vulnerability would also allow attackers to send unlimited money requests to Coinbase customers.
On the matter, Coinbase said:
While not “unlimited”, it is absolutely intentional that Coinbase users are able to send invoices to an arbitrary number of email addresses. Allowing lists to be invoiced is core functionality of our service, and this functionality is intentionally built into our API
According to Coinbase, it’s “highly inaccurate to suggest that names or emails were leaked or that there has been a breach.”
It’s important to note that using an email address to determine if someone has an account on a service is the norm across most internet sites today. You’ll find that user enumeration is possible on Facebook, Google, Dropbox, and nearly every other major internet site.
…
Using real names in our service is an important component in providing a positive and responsive user experience. And to be clear – a sender would need your email address in advance to be able to send you a request for money.
The company says they’ve spent some time looking into the matter, and believe the “risks are minor”. But they are taking some level of action to try and ease the minds of their customers:
Though we believe this type of spam and user enumeration activity doesn’t represent a significant risk to Coinbase customers, we absolutely recognize that it can be an inconvenience and cause confusion. We have already implemented a number of things which make this type of activity less convenient for would-be spammers. For example, we employ rate limits around sensitive actions, such as requesting money, to prevent them from being abused at scale.
Read the full blog post here. How do you feel about Coinbase’s response?