While not ideal, I think this is being blown out of proportion by someone that doesn't like Coinbase. For starters, of the 2042 "leaked" emails, 1153 are unique. That means the person that posted it was trying to pad their results, which combined with the possible but unfounded FBI/Fincen accusations, illustrates that someone is mad at Coinbase and is lashing out.
Enumeration isn't a fantastic idea, but given its ubiquity in various forms on major sites throughout the internet, I don't think it's worthy of all of this negative attention directed specifically at Coinbase either. I once wrote a program that could take a list of random emails and use Facebook to turn it into a CSV matching each email to a name, a list of their friends, their location, and interests. That should have been scandalous, but it wasn't.
We are acting as pawns in someone's revenge scheme against Coinbase.
> That means the person that posted it was trying to pad their results
Not necessarily. The duplicates are in exact order(quick check using sublime). Could have just been a double paste, happens very often.
The fear mongering (FBI et al) definitely seems unfounded.
> illustrates that someone is mad at Coinbase and is lashing out
That's an ad hominem attack.
> I don't think it's worthy of all of this negative attention directed specifically at Coinbase either
Agreed Coinbase is the target of a lot of negative attention. That does not discount that enumeration deserves any less attention, it's unnecessary and poses more risks than benefits (again I don't know of a single benefit when requesting funds - when sending funds it is understandable but still problematic).
> We are acting as pawns in someone's revenge scheme against Coinbase
You're giving people too little credit. Coinbase is bad at communicating (timing and message), bad communication pisses people of. They are also in a business that gets more scrutiny than other payment processors.
>> illustrates that someone is mad at Coinbase and is lashing out
>That's an ad hominem attack.
No it isn't. I honestly wish that people would stop erroneously calling out logical fallacies. An ad hominem attack is refuting someone's argument by attacking their character in a way that has nothing to do with the discussion. For example, this is an ad hominem attack:
Obama: ObamaCare has insured 7.1 million people through the exchanges.
Sally: Oh sure, but what difference does that make - you're a muslim and want this country to fail!
That is an ad hominem. Because Obama being (or not being) a muslim is irrelevant to the discussion and is only used to impugn the character of Obama.
What is not an ad hominem attack is evaluating evidence of someone padding numbers to make Coinbase look bad and then determining that they must be biased against Coinbase. If you think evaluating evidence and coming to negative conclusions about someone is an ad hominem attack, then you are seriously mistaken.
These are serious accusations against Coinbase. There is absolutely no excuse for an artificial 2x inflation of numbers, especially for something that's supposed to be "partial"
Quite possible, but Coinbase really could have handled this better. They simply could have said, "You know what? While we don't agree with everything we're being accused of, we really value the community's trust and want you to know we're listening. First of all, we're really sorry to the folks who had their emails posted publicly. Secondly, we're doing XYZ to let you know we're on the case and re-evaluating our policies. Finally, we want to thank everyone who's reached out, you're helping to make Coinbase stronger."
I'm not sure that's the right approach either. They're not reevaluating their policies. They believe they did nothing wrong. Clearly some amateur hacker is the one exposing emails, probably from another source.
> For starters, of the 2042 "leaked" emails, 1153 are unique.
Sure enough, when I sorted the email alphabetically I could see that whoever posted that Pastebin listed most of the emails twice to make the list look longer than it actually was.
So you are writing this off because 'only' 1153 emails were leaked?
Then you are comparing security of virtual bank to something you did to Facebook back in the day.
The thing is that, if anything the guy who was doing this just did a quick proof of concept from a few lists and got matches, a serious attacker could (or already did) create his own list using let's say a combination of linked in + bit coin related domains to:
1. Harvest valid emails of people employed in a bit coin sector.
>So you are writing this off because 'only' 1153 emails were leaked?
His attempt at misleading people by almost doubling the actual count shows that his intent was/is to make this worse than it is. It is likely that all he could find was 1153.
>if anything the guy who was doing this just did a quick proof of concept from a few lists and got matches
You don't know that. He could have been trying for weeks. The percentage of the internet that has Coinbase accounts is minuscule, and this attack requires one to correctly guess that a particular email is already attached to a Coinbase account. The fact that he falsely doubled the size of his list is a testament to this.
>Then you are comparing security of virtual bank to something you did to Facebook back in the day.
This wasn't that long ago, but my point was that this "vulnerability" is minor compared to other sites, yet the backlash against Coinbase seems to be far greater.
You are comparing 'vulnerability' of a service meant for people to connect and find each other to a service that handles millions of dollars of users money.
- There was no email leak from Coinbase. The source of the email list used against the API is unknown at this time.
- Someone who's savvy enough to call an an API in a multi-threaded fashion but doesn't know how to: cat email_list.txt | sort | uniq ? meh, unlikely.
- User enumeration hardly equals a vulnerability and the name you put on the account doesn't have to be your real name. I have "SMTDDR" on it. All you'd get is "SMTDDR".
Really, this is some kind of political-mud-slinging at Coinbase. Wake me up when you can pull my banking info or transfer my coins out of my account.
They leaked accounts that are legit, who cares about the source when Coinbase confirmed that this instance with some random unknown list 'only' impacted 1000+ users.
Sure, but they could also not care if there are duplicates. You don't need to polish your list output for a proof of concept code, whatever he needed to prove was proven.
It's not a vulnerability, it's data leakage. Sure you put a wrong name in, most people did not.
And it's not the name that's a concern it's leakage of email addresses that would be prime target for savvy hackers who want bitcoins.
If you could run random addresses against an API offered by a vendor that sells safes for high value valuables and get a match which houses have those safes you become a target.
Sure most people won't try to break in, but those are are in business of doing so will try.
>You are comparing 'vulnerability' of a service meant for people to connect and find each other to a service that handles millions of dollars of users money.
Ridiculous.
So you are saying that this somehow endangered customer funds?
It is not my experience that financial services companies are substantially better than startups on cosmetic security issues like username enumeration.
Some financial services are even worse. One of the largest banks/brokerage sites truncates passwords at 8 characters without notifying the user. It is possible for the user to save their password as "password104n35dsu348a21p9sdj28x". They might feel pretty safe with the length, (pseudo) randomness, and complexity of that password, but someone would be able to log into their account by simply entering "password".
However, the big differentiating factor between startups and financial service companies is the faith in them "making it right" when something does go wrong. At this point, we have little reason to believe that one huge security issue won't simply kill a startup like Coinbase and leave all of its account holders out in the cold. It seems pretty safe to say that wouldn't happen with any major bank in the US.
Very true, but if my social sharing website has a username disclosure, it's generally a feature. If my bank does this, it is, as you note, a security issue. Not the worst possible security issue, but still definitely not a feature.
Those systems are insured, and a lot more effort to steal and clean funds. Bitcoin is one stop fraud: get the coins and you're good to go. Don't need a drop to ship electronics, don't need proxies or remote desktop IPs to fool paypal/stripe fraud filters.
If I were a criminal blackhat would be nice to have user enumeration to confirm names on Coinbase so I could send personalized wallet stealing emails pretending to be from Coinbase.
Interac e-Transfers (the only widely used method for doing this I'm aware of) do let you send money to someone via an email address, but it's a notification channel, nothing more. An account enumeration isn't possible with it, the actual email is sent some time after the money for the transfer has left the source account, and the sender doesn't get any information about the delivery of the email.
I suppose you could send e-Transfers to random email addresses and then see if any are accepted, but that would cost you an absolute minimum of $0.01 per attempt and would probably have a terrible response rate.
Source: this is my day job.
Edit: sorry, forgot to mention this is Canada-specific.
Respectfully, could you list a couple of benefits of enumerating a user's name if someone is requesting funds that outweigh the risk even in the slightest?
The question is not for sending money but receiving or requesting money. I personally can't think of a single benefit to getting this information at time of requesting funds.
As a matter of fact, if the name was enumerated when sending money that would to some (very small) degree be acceptable as the sender stood to have a financial loss.
You conveniently left out their next sentence
"... many leading payment services allow user enumeration, including Paypal, Venmo, Square Cash, and many others..."
Because I was talking about banks & processors, not payment services. Paypal will cut you off hard if you attempt to bulk enumerate users/businesses by e-mail address, so this is even more disingenuous on the part of Coinbase.
There's only one explanation for why you can't get service for problems unless you're featured on reddit, why they don't care about security, and why they're flagrantly dishonest in their comparisons: because they don't respect us, at all.
Or they're a tiny company trying to push in all areas at the same time, and they have to prioritize, and sometimes things they'd want to do fall through the cracks or they just haven't had a chance to do them yet. If you've ever been at a small company, you know that this is the much more likely scenario. Requiring them to have already implemented all of the security measures of Paypal, which has been around for more than a decade and is orders of magnitude larger than them, is sort of ridiculous.
If you don't trust them to hold on to your coins, use them purely an exchange and then pull them off onto an offline wallet.
"It’s clear there was no data breach because no other user information is provided."
That strikes me as an assumption. There's no way for them to know that there was no breach based off of the fact that no other information was provided. There are other ways to know that you were not breached, this one comes across as a very weak / naive reason.
1) It's possible to determine if someone has a Coinbase account (no rate limit)
2) It's possible to find out someone's name if they have a Coinbase account (no rate limit)
3) Coinbase can be used to spam people through unsolicited messages (no rate limit).
Their response basically equates to "so what, nothing's wrong". They ignored the initial reports and marked the bug as won't fix.
Someone used this vulnerability to pull a bunch of example addresses and their response is "so what, nothing's wrong, probably wasn't us".
But these are three serious issues.
1) Why should anyone be able to figure this out without being a registered application? This is especially true given #3. And the lack of rate limiting is just irresponsible.
2) Why should anyone be able to ask Coinbase what my name is? Even if they allowed that, why can you do it without being a registered user of their API? Again, the lack of rate limiting is also irresponsible.
3) I understand it's purposeful that they'll treat anyone as having an account for the purposes of on boarding, that make sense. But the ability to send emails to anyone on the internet without risking my reputation is asking for trouble. Again, this should be heavily rate limited unless you've registered with them. Anyone can sign up for an Amazon SES account, but you have to go through a few hoops before you can start sending out 500 messages a second.
These statements read like Baghdad Bob to me. We don't agree, nothing is wrong, go about your business as if nothing had happened.
If their initial response was "that's all correct, we're looking into rate limiting and maybe requiring you to register to make API calls" that would have been the end of it.
If I want to send money to someone, I should call Coinbase and they should send the request. The response to me should be "sent" or "error". Imagine if whenever I paid a bill with my credit card the return was not just "success" or "failure" but "success", "current balance", and "mother's maiden name". Disclosing that extra information is totally unnecessary.
The name is optional, and you can supply it to make the experience nicer. If you don't plan on using Coinbase this way, don't supply a name.
Making things easy to use is the answer to your question. Rate limiting might help a tiny bit, but you can just register multiple accounts to get around it. (And no doubt someone would do that and make a fuss about it.)
Many people will take the feature of presenting the name, so you have another layer of comfort while making the transaction (knowing it went to the right place, that you didn't introduce a typo) to be a feature. And those that don't want it don't have to provide their names.
> The name is optional, and you can supply it to make the experience nicer. If you don't plan on using Coinbase this way, don't supply a name.
Amazon won't tell you my name. Netflix won't tell you my name. Maybe to registered third parties, but not to random unauthenticated API callers.
> Rate limiting might help a tiny bit, but you can just register multiple accounts to get around it. (And no doubt someone would do that and make a fuss about it.)
But that adds a barrier, and would give them time to notice. Your argument is the equivalent of "why have locks, all doors can be forced open". Just because security isn't perfect doesn't mean it's not worthwhile.
> Amazon won't tell you my name. Netflix won't tell you my name
If you want to sell something on Amazon, Amazon will tell other people your name. I sold some apps there to experiment with the whole process, and they attached my real name to it.
There is never a need for anyone to know your name from Netflix. However, with Coinbase, there is a need for other people to be able to recognize who they are doing a transaction with.
> However, with Coinbase, there is a need for other people to be able to recognize who they are doing a transaction with
Why is this? They are not receiving money , they are sending money. The recipient needs to know the sender but why does the sender need to know that the recipient is a registered coinbase user or what their firstname and lastname is. Why does the response json of the request_money api need to return the user's name and couldn't the email and the transaction history page be the same when you send money to a registered or non-registered email until the recipient is in some sort of address book of the sender (perhaps after a valid transaction has happened between them). I have used chase and paypal and in both cases either I have to add the recipient to the address book and fill out the email address and first and last names or just use the email address.
Fortunately or unfortunately when you play in the financial services, you are held to a higher security standard. I really like coinbase, I hope they fix this simple problem and move on instead of denying its a problem.
Amazon won't tell you my name until I make a transaction with you. If I add your item to my cart and never check out, they won't tell you anything about me.
That doesn't seem to be the case with Coinbase, they seem to give you the information when you propose a transaction.
Yes, with these newly moved goalposts, I agree, and I mentioned it earlier today: Coinbase is giving your ID not just to people you've interacted with (which makes sense) but to people who have expressed the vaguest desire to interact with you (might might not make sense).
But in the comment I was replying to was pointing out that Netflix never gives your ID to anybody, which is not a fair comparison because Netflix is in an entirely different business. Netflix customers never interact with each other. Coinbase users do interact, and identity is usually essential for interaction.
That's not moving goalposts. Amazon does not give out my information to unregistered 3rd parties who I haven't made a transaction with. Seems Coinbase does.
I chose Netflix simply because they were a large internet company. I think the idea that Coinbase is involved in transactions is a red herring here since they're giving the information out before the transactions are agreed upon by both parties.
If I proposed a Coinbase transaction with someone, I would fully expect that the other party would be told my name and possibly even my email.
If I'm reading correctly: Coinbase provided confirmation that the email addresses on pastebin are Coinbase customers, and also provided the associated names. Coinbase doesn't think that's a serious issue.
I'm curious why, given the prior reports of security issues at Coinbase and the ongoing drama with Mt Gox, you guys didn't immediately hire, say, tptacek's company to do extensive penetration testing and a full security audit. It appears that not all API calls were rate-limited, as they probably should have been, and there certainly doesn't seem to be any sort of monitoring of brute-force attempts like this in place. With all the negative publicity around Bitcoin exchanges, you should have doubled down on security weeks ago, or at least explained the privacy tradeoffs in your design decisions clearly.
A few thoughts. I agree with you, which is why we are currently going through a third party security audit in addition to the impromptu peer review by Andreas the day MtGox went down and our normal reviews by accountants. We also hired a director of security from FB. Also, there were rate limits, just not well tuned enough. So it's definitely in focus for us.
What precautions have you taken against meatspace robbery? What's to stop 3 thugs with guns walking into your office(s) and cleaning out all the coins? Can you get insurance against this?
Do you also have measures to prevent evil janitor attacks like hardware keyloggers being planted at 4:00am? Do you have screens facing an open window to watch from across the street? Can I rent beside your offices, drill holes through the walls and set up spycams or gain entry? Not to sound alarmist but seems no exchange has given a thought to physical security meanwhile bank execs are dropped off at work by private guards specializing in counter-kidnapping operations, even though their money is fully insured and extremely difficult to steal. Bitcoin's are easy to steal.
> meanwhile bank execs are dropped off at work by private guards specializing in counter-kidnapping operations
Perhaps there are some bank executives for which this is true, but it is absolutely NOT the case for all banking executives. I work with some bank executives and they drive themselves to work in their own cars. The buildings DO have alarm systems and it is quite possible for the FBI to respond to physical threat incidents (because it is treated as a bank robbery) but otherwise there is little that is special in the way of physical security.
And for Coinbase, I believe the lack of special physical guards is appropriate. A high percentage ("up to 97%" according to https://coinbase.com/security ) of their coins are in cold storage and while I am not privy to the details of Coinbase's arrangements, keysharing and multiple physical storage locations that are off-premises are a reasonable precaution. They are vulnerable to hostage-taking or "3 thugs with guns" to the exact same extent (no greater) as any other company with a similar amount of protection.
I can't comment on protection against hardware keyloggers: it's a threat that they need to be prepared for. Cold storage is one major way of protecting against this threat, business insurance is another.
They should at least have a level of physical protection equal to a large bank branch.
An armed guard, 24/7 security cameras (obvious and hidden) actively being watched by a human being, established passphrases for when the security service calls to check in, etc.
They are at as least as much risk as a physical bank branch, it's a bit of denial on their part if they aren't treating it that way.
Any other company doesn't need to worry since robbing their head office and demanding online bank transfers is a waste of time. A cryptocoin fixed rate exchange with millions in storage you can instantly transfer is a different story. It's like Ft. Knox being located in a regular office building with gold piled on the desks. Bank vaults have physical security so why don't Bitcoin based businesses.
I did read through their security about the backups being spread around different locations, but those are backups. They would need access to the cold wallet on a regular basis if 97% of funds are truly in there. Unlikely to happen but then again police here didn't expect criminals would remove huge concrete barriers with a stolen tractor, ram a shopping mall entrance, drive through the mall and ram a gated jewelry store but they did.
> They would need access to the cold wallet on a regular basis if 97% of funds are truly in there.
Not true. First of all, that would only be true if their net daily turnover were more than 3% of their total amount stored -- which it may not be. Even then, I would expect graduated levels of cold wallets: imagine one with another 2% that is down the street in a bank safe deposit box, 5 wallets with 50% of the deposits stored in a way that can only be accessed with cooperation of 4 people in different parts of the country ... that sort of thing.
I am, of course, just speculating: I don't know how Coinbase runs their system, I just know that they seem competent and that this is how I would run such a thing.
Why wasn't any of that information in the earlier statements? When given a list that contains demonstrable flaws "we see your list and don't think it's a problem (thus by implication are not doing anything about it)" does not induce confidence, it sounds like hubris.
Simply writing that the rate limiting wasn't working correctly and you were fixing would have made all the difference in the world to me.
This is something that has always bothered me. I've worked in software for awhile now, but never in the financial sector, yet the vast majority of my clients and employers have had third party security audits run on their code and systems. I don't know why every exchange doesn't do this and talk about it publicly.
Everyone in the biz or following the biz knows its window dressing and pay to play. See Arthur Anderson and Enron and about a zillion other scandals over the years.
We’d also like to address the claim of a “leaked” list of Coinbase emails and user names. This list (the size of which is less than one half of one percent of Coinbase users) was not the result of a data breach at Coinbase. This list of emails was likely sourced from other sites - probably Bitcoin related ones. It’s clear there was no data breach because no other user information is provided.
That last sentence is doing a lot of lifting, out of its weight class.
This immediate "no it's not true" might reassure some folks, but it scares me because of how quick it is. Have you looked at the audit systems on your database?
"We believe this information is bogus but are investigating to make sure" is a better response, assuming you actually do investigate to make sure.
I think many users will assume, with a finance site like Coinbase, that the name they have provided is for $ transactions (taxes, Visa, MasterCard, etc.) not for social aspects. In my opinion, getting behind the Privacy Policy and claiming that users know their names will be publicly shared is unethical.
Why people want to hide their names? Personally I don't hide my name. But it is not too hard to understand that on "web-scale" there will be someone who is stalked, who has posted on suicide help forums, etc.
From Ryan McGeehan, director of security (user magoo):
> This behavior is mostly informational to an attacker and does not
> directly increase risk in any significant way
All information leaks are useful to an attacker. By themselves they are harmless, but can be combined with other information to successfully exploit a system.
From bug reporter Shubham Shah (user zero):
> This request can now be replayed unlimited times, with unlimited email
> addresses inputted. Coinbase does not limit the rate of POST requests
> to /transactions/request_money
This should not be possible at all. The reporter must have made a mistake and forgot to mention the X-CSRF-Token needs to be updated each time. If it didn't need to be updated, this would be a basic CSRF vuln.
All this being said, the real flaw here is the lack of rate limiting on transactions, for three reasons:
1. The spam will eventually mount up and ISPs will block their servers for days or weeks.
2. Their network and app stack is subject to DoS attacks unless they rate-limit transactions.
3. Harvesting of e-mail addresses would be stopped by basic rate limiting of email<->user queries.
I was phished for coinbase just recently with an email telling me "You just received 0.08525920 BTC" and just "Click here to sign in and view this transaction" and I stupidly I did click on the link and did try to log in. The login failed (as it would with a trojan and the coinbase 2 factor authentication I have enabled). But even so, the phishing site was able to attach 3 Android apps to my account with full access. I deleted the apps and notified coinbase, but they were totally less than helpful.
People should upvote this much more. This shows that the reported exposure has resulted in at least one successful phishing.
The fact that the 2 factor auth can apparently be bypassed by attaching apps is another security vulnerability entirely. If that is what you are claiming is the case, then they should be immediately fixing this as soon as you reported it to them.
Less sympathetic than I was hoping for but copacetic. Could they have nipped this in the bud with a faster response? Perhaps. However having dealt with reports like this, I cannot recall a decent interaction with a reporter.
Indeed, and a great trick too — but that appears to be a great but non-default option, only working within Apple software (namely Safari browser when surfing HN) and uses the System language (not English for me).
I personally prefer Right click “Search with Google…” in Chrome: it has the upside of coming up with a definition when the word is actually rare -- so it prevents me from defining an word I didn't know simply because I’m not a native English speaker.
It works in any software in OS X using standard text controls. It's insanely handy.
The few programs I use that don't support it actually drive me nuts because I've become so used to it.
The system language thing is a little annoying. It would be fantastic to be able to look up the random Spanish or Japanese word, but I understand the limitation.
Many people automatically assume that this word means something bad. Something about "cetic" makes them think "septic" or "toxic" even. I've had to explain the word a few times to co-workers. I picked it up from a crappy song, come on guys!
Suppose they limit it to 100 emails before blocking your account. The guy can just sign up with 10 accounts. Or 5. This "attacker" would still post it and make a big fuss.
Most likely they're implementing rate-limiting to appease people and prevent an ongoing spam issue. Or perhaps it was on their list for a while and just hasn't been an issue until now.
Given it's easily parallelizable, assuming the cost of enumeration is significantly lower than other methods and the value of the data is high enough, how does that actually solve anything? All it does is requires someone to rent time on botnets or similar which doesn't seem like it would raise the cost a huge amount at scale.
Already a largely solved problem. If you try enumerating email addresses by running through queries at Hotmail or Yahoo, for example, they'll shut the doors on you in a matter of seconds. Think you can just use thousands of IPs instead? Go for it - they trust 'new' and rarely-seen IP addresses even less, and bring up the shutters all the faster. It's not a new problem, and there's lots of best practice to learn from, for anyone who wants to do it right.
They don't appear to be rate limiting their API that allows enumeration of first and last names. Also,
We’d also like to address the claim of a “leaked” list of Coinbase emails and user names. This list (the size of which is less than one half of one percent of Coinbase users) was not the result of a data breach at Coinbase.
There are 2,040 names on the leaked list. Fun fact: that means there are about 408,000 Coinbase users total.
That's wallets, not users. That press release was impressive, and I've always wondered how many users they actually had. I didn't expect to find out through a security blog post, but it's fun to know.
If Coinbase can't admit any amount of fault whatsoever for enabling the large-scale harvesting of their customer list, I'm sorry, but I've lost faith in their security.
This is a service that stores digital cash. It should be like an online Fort Knox, not "safe as Facebook" like that's some kind of high bar.
If you read the post even a little bit carefully, they refute the idea that this was a harvesting of their database. One compelling bit of evidence they present is that the list is tiny, and their customer list is very large.
It's not just that this isn't a "large scale" leak; it's that they say it's not a leak at all; that this data was made available through some other combination of services that exposed it, not Coinbase. They don't provide any additional evidence (but few companies would) --- but it's a plausible argument.
Coinbase's tone at https://hackerone.com/reports/5200 convinces me that they just don't care about user account enumeration. Combined with the blog post, my sense is that Coinbase does not deny that systematic enumeration is possible; rather, they deny that we should worry about it. ("it's not a bug, it's a feature")
I don't know if they do or don't, but I wouldn't be surprised either way, because I sure don't care about user account enumeration. We doc it, but I'm always embarrassed when we do.
this data was made available through some other combination of services that exposed it, not Coinbase
That assumes the acknowledgement of whether a given email address is a member or not is not data in itself. That is arguable. For example, I know that in healthcare, merely confirming whether someone is a patient of yours is a violation.
But I agree with the larger point that the original disclosure is overblown.
I agree that 1000+ people may not be "large-scale" depending on how we define it, but I do see it as a proof of concept that Coinbase permits large-scale user enumeration. (Not that it has necessarily happened yet)
Now we just need to make sure the data came from coinbase directly, which they refute. They say data comes from other services - mostly bitcoin related ones.
They believe it's not a risk to their users (never minds those users who are now targeted via e-mail leak because they have BitCoins).
"You’ll also find many leading payment services allow user enumeration"
They also do pattern monitoring and rate limiting. And instead of saying 'but they do it!' they should be saying 'they do it too, but we think this is a valid privacy issue that we need to fix'.
This is more or less 'If you don't get privacy implications , we will bullshit you so you don't panic and go elsewhere with your money. Everything is fine!'
I also think this whole thing is overblown but I hope it will help to further humble Coinbase in realizing that they really need to focus more efforts on squashing things like this before they become a problem. Coinbase has a large responsibility in whether or not Bitcoin is to become "accepted" in the USA and several small events like these left unsettled or left to fester could prove catastrophic(IMO).
I don't believe Coinbase should consider this a real "security threat". I believe that this is a negative side-effect of what may be a feature. It is certainly something that needs improvement, as I'm sure all of the people whose email has been leaked will tell you...
I'm not sure if Coinbase has an engineering blog or a similar outlet where they can speak to more developers directly but if they do not have one already, this may be the time to start. This could've been squashed entirely within a small development community but when left unsettled for so long, it is things like this that the news will latch onto and run with
We all know how blown out of proportion things get when that happens.
Anyway, long story short... I hope Coinbase improves. As much as I hate to say that a tech company needs more representatie
I don't who is wrong or right here (Coinbase saying there was no breach or alledged hackers via pastebin), but isn't having fake security breaches for large bitcoin sites a good opportunity to manipulate the rates? If one wanted to bring the rate down it might be possible to do this with creating a good fake security breach of a large site.
I tried deleting my name from the user settings page. No problem. This "bug" is literally about people being upset that information they opted-in to share was shared.
Interesting to note that they did not dispute the claim (posted on HN with the pastebin data) that they are providing transaction data to government agencies.
My email was not published anywhere with regards to bitcoin or coinbase, I receive relatively little spam, yet I received 4 of these spam messages. Smells fishy.
I filed a Freedom of Information Act request to the FBI about Coinbase, and they replied that they have no documents. https://www.muckrock.com/foi/united-states-of-america-10/coi... Of course, the FBI is explicitly allow to lie in response to FOIA requests if it will protect an ongoing investigation.
However, I was also told at a party by a Coinbase employee that this is not true (which is why I filed the request to begin with.)
In retrospect, it should have been a huge warning sign that the entire thing was bogus. At worst (for Coinbase), they have someone reporting a legit security issue with a bunch of jokes at the top.
Well they can't mention it if they have it, but they can mention if they don't. So this would be the only way Coinbase could communicate that they are under a gag order, barring a prior warrant canary. So it's probably prudent to act as if they have acknowledged the gag order until they deny it. Although it'd be really dumb if anyone was assuming the records were private.
I guess they could say "We have implemented a warrant canary at <url>" then 404, but perhaps their legal team wisely denied that one.
Yes. And while we're at it, I wanted to point out that cbcbcb (who posted the initial leak) is ALSO under a federal gag order. He/she either won't deny it (because, obviously, they can't) or WILL lie and deny it (forced to lie by the gag order).
Oh, and I'm under a federal gag order too... or at least there's no way to prove that I'm not.
There has been speculation among legal scholars that the legal threshold for ordering someone to lie might be greater than the legal threshold for ordering someone to keep silent. This has not been tested in court (at least, not in open court) so no one knows for sure. If I received a national security letter ordering me to lie, I would have to think VERY carefully before deciding to violate it and become a test case.
You have to have the email addresses before you can query Coinbase with them. The addresses didn't originate with Coinbase, the attacker already had them.
Enumeration isn't a fantastic idea, but given its ubiquity in various forms on major sites throughout the internet, I don't think it's worthy of all of this negative attention directed specifically at Coinbase either. I once wrote a program that could take a list of random emails and use Facebook to turn it into a CSV matching each email to a name, a list of their friends, their location, and interests. That should have been scandalous, but it wasn't.
We are acting as pawns in someone's revenge scheme against Coinbase.