Coinbase Denies Data Breach, Says Email and Name Disclosure is a ‘Feature’

Bitcoin wallet company Coinbase has addressed the security issue concerning the alleged data breach, after its customers’ emails and usernames showed up online.

An anonymous user uploaded a list of about 2,000 usernames and email addresses to Pastebin, claiming they are Coinbase users. Photo: Coinbase

An anonymous user uploaded a list of about 2,000 usernames and email addresses to Pastebin, claiming they are Coinbase users. Photo: Coinbase

San Francisco-based bitcoin wallet provider Coinbase has officially denied allegations about the alleged data breach, after roughly 2,000 Coinbase customer names and emails were compromised. The company has also responded to community concerns relating to a design function of its “Request Money” service by calling a feature.

The response was published after an anonymous leaker posted a link to data site Pastebin, which contained hundreds of alleged Coinbase customers’ names and email addresses. Even though some of these names were duplicated, the online thread was quick to point to a vulnerability that was closed without fixing may have been behind the leak of email addresses and names.

In a statement on its website, Coinbase director of security Ryan McGeehan confirmed that the list of users published was “less than one half of one percent” of Coinbase users. In addition, it was said that “this list of emails was likely sourced from other sites – probably Bitcoin related ones.”

McGeehan explained in the blog post that it was not a data breach, but is a “norm across most internet sites today”, like Facebook, Google, and Dropbox. The process is called email enumeration can be used to determine whether users exist on the site or not.

“You’ll also find many leading payment services allow user enumeration, including Paypal, Venmo, Square Cash, and many others…”

“Though we believe this type of spam and user enumeration activity doesn’t represent a significant risk to Coinbase customers, we absolutely recognize that it can be an inconvenience and cause confusion,” he said.

He also referred to a new feature called “Request Money” that allows users to request funds by entering an email address, describing it described as part of the “core functionality” of it service.

If the recipient is a Coinbase user, the website generates a return email complete with the individual’s first and last name, provided they used their real name to register with the service. However, bitcoin wallet provider does not require its users to provide real names, and indicates in its privacy policy that it makes such information available.

The company’s security risk was discovered in Monday by Australia-based security researcher Shubham Shah, who found out that he could send a series of emails requesting money from different address and receive back a response with the name and email of valid Coinbase users.

While the feature doesn’t constitute a security flaw, it could aid would-be attackers who are phishing for addresses associated with Bitcoin. Coinbase acknowledged this concern, though it said it believes it represents a low fraud risk, and is more threatening to users as a spam issue.

“We are continually striving to make Coinbase as safe and secure as possible for all of our users, and in the coming weeks, we will perform a more extensive overview of the existing controls we have in place to see how they can be improved,” reads the statement.

Nevertheless, after a difficult few months in the cryptocurrency circles, notably the shuttering of the Mt. Gox bitcoin exchange, the community was left again shaken by the leak.

Share this article

We welcome comments that advance the story directly or with relevant tangential information. We try to block comments that use offensive language, all capital letters or appear to be spam, and we review comments frequently to ensure they meet our standards. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Coinspeaker Ltd.