San Francisco-based bitcoin wallet provider Coinbase has officially denied allegations about the alleged data breach, after roughly 2,000 Coinbase customer names and emails were compromised. The company has also responded to community concerns relating to a design function of its “Request Money” service by calling a feature.
The response was published after an anonymous leaker posted a link to data site Pastebin, which contained hundreds of alleged Coinbase customers’ names and email addresses. Even though some of these names were duplicated, the online thread was quick to point to a vulnerability that was closed without fixing may have been behind the leak of email addresses and names.
In a statement on its website, Coinbase director of security Ryan McGeehan confirmed that the list of users published was “less than one half of one percent” of Coinbase users. In addition, it was said that “this list of emails was likely sourced from other sites – probably Bitcoin related ones.”
McGeehan explained in the blog post that it was not a data breach, but is a “norm across most internet sites today”, like Facebook, Google, and Dropbox. The process is called email enumeration can be used to determine whether users exist on the site or not.
“You’ll also find many leading payment services allow user enumeration, including Paypal, Venmo, Square Cash, and many others…”
“Though we believe this type of spam and user enumeration activity doesn’t represent a significant risk to Coinbase customers, we absolutely recognize that it can be an inconvenience and cause confusion,” he said.
He also referred to a new feature called “Request Money” that allows users to request funds by entering an email address, describing it described as part of the “core functionality” of it service.
The company’s security risk was discovered in Monday by Australia-based security researcher Shubham Shah, who found out that he could send a series of emails requesting money from different address and receive back a response with the name and email of valid Coinbase users.
While the feature doesn’t constitute a security flaw, it could aid would-be attackers who are phishing for addresses associated with Bitcoin. Coinbase acknowledged this concern, though it said it believes it represents a low fraud risk, and is more threatening to users as a spam issue.
“We are continually striving to make Coinbase as safe and secure as possible for all of our users, and in the coming weeks, we will perform a more extensive overview of the existing controls we have in place to see how they can be improved,” reads the statement.
Nevertheless, after a difficult few months in the cryptocurrency circles, notably the shuttering of the Mt. Gox bitcoin exchange, the community was left again shaken by the leak.