While not ideal, I think this is being blown out of proportion by someone that doesn't like Coinbase. For starters, of the 2042 "leaked" emails, 1153 are unique. That means the person that posted it was trying to pad their results, which combined with the possible but unfounded FBI/Fincen accusations, illustrates that someone is mad at Coinbase and is lashing out.
Enumeration isn't a fantastic idea, but given its ubiquity in various forms on major sites throughout the internet, I don't think it's worthy of all of this negative attention directed specifically at Coinbase either. I once wrote a program that could take a list of random emails and use Facebook to turn it into a CSV matching each email to a name, a list of their friends, their location, and interests. That should have been scandalous, but it wasn't.
We are acting as pawns in someone's revenge scheme against Coinbase.
> That means the person that posted it was trying to pad their results
Not necessarily. The duplicates are in exact order(quick check using sublime). Could have just been a double paste, happens very often.
The fear mongering (FBI et al) definitely seems unfounded.
> illustrates that someone is mad at Coinbase and is lashing out
That's an ad hominem attack.
> I don't think it's worthy of all of this negative attention directed specifically at Coinbase either
Agreed Coinbase is the target of a lot of negative attention. That does not discount that enumeration deserves any less attention, it's unnecessary and poses more risks than benefits (again I don't know of a single benefit when requesting funds - when sending funds it is understandable but still problematic).
> We are acting as pawns in someone's revenge scheme against Coinbase
You're giving people too little credit. Coinbase is bad at communicating (timing and message), bad communication pisses people of. They are also in a business that gets more scrutiny than other payment processors.
>> illustrates that someone is mad at Coinbase and is lashing out
>That's an ad hominem attack.
No it isn't. I honestly wish that people would stop erroneously calling out logical fallacies. An ad hominem attack is refuting someone's argument by attacking their character in a way that has nothing to do with the discussion. For example, this is an ad hominem attack:
Obama: ObamaCare has insured 7.1 million people through the exchanges.
Sally: Oh sure, but what difference does that make - you're a muslim and want this country to fail!
That is an ad hominem. Because Obama being (or not being) a muslim is irrelevant to the discussion and is only used to impugn the character of Obama.
What is not an ad hominem attack is evaluating evidence of someone padding numbers to make Coinbase look bad and then determining that they must be biased against Coinbase. If you think evaluating evidence and coming to negative conclusions about someone is an ad hominem attack, then you are seriously mistaken.
These are serious accusations against Coinbase. There is absolutely no excuse for an artificial 2x inflation of numbers, especially for something that's supposed to be "partial"
Quite possible, but Coinbase really could have handled this better. They simply could have said, "You know what? While we don't agree with everything we're being accused of, we really value the community's trust and want you to know we're listening. First of all, we're really sorry to the folks who had their emails posted publicly. Secondly, we're doing XYZ to let you know we're on the case and re-evaluating our policies. Finally, we want to thank everyone who's reached out, you're helping to make Coinbase stronger."
I'm not sure that's the right approach either. They're not reevaluating their policies. They believe they did nothing wrong. Clearly some amateur hacker is the one exposing emails, probably from another source.
> For starters, of the 2042 "leaked" emails, 1153 are unique.
Sure enough, when I sorted the email alphabetically I could see that whoever posted that Pastebin listed most of the emails twice to make the list look longer than it actually was.
So you are writing this off because 'only' 1153 emails were leaked?
Then you are comparing security of virtual bank to something you did to Facebook back in the day.
The thing is that, if anything the guy who was doing this just did a quick proof of concept from a few lists and got matches, a serious attacker could (or already did) create his own list using let's say a combination of linked in + bit coin related domains to:
1. Harvest valid emails of people employed in a bit coin sector.
>So you are writing this off because 'only' 1153 emails were leaked?
His attempt at misleading people by almost doubling the actual count shows that his intent was/is to make this worse than it is. It is likely that all he could find was 1153.
>if anything the guy who was doing this just did a quick proof of concept from a few lists and got matches
You don't know that. He could have been trying for weeks. The percentage of the internet that has Coinbase accounts is minuscule, and this attack requires one to correctly guess that a particular email is already attached to a Coinbase account. The fact that he falsely doubled the size of his list is a testament to this.
>Then you are comparing security of virtual bank to something you did to Facebook back in the day.
This wasn't that long ago, but my point was that this "vulnerability" is minor compared to other sites, yet the backlash against Coinbase seems to be far greater.
You are comparing 'vulnerability' of a service meant for people to connect and find each other to a service that handles millions of dollars of users money.
- There was no email leak from Coinbase. The source of the email list used against the API is unknown at this time.
- Someone who's savvy enough to call an an API in a multi-threaded fashion but doesn't know how to: cat email_list.txt | sort | uniq ? meh, unlikely.
- User enumeration hardly equals a vulnerability and the name you put on the account doesn't have to be your real name. I have "SMTDDR" on it. All you'd get is "SMTDDR".
Really, this is some kind of political-mud-slinging at Coinbase. Wake me up when you can pull my banking info or transfer my coins out of my account.
They leaked accounts that are legit, who cares about the source when Coinbase confirmed that this instance with some random unknown list 'only' impacted 1000+ users.
Sure, but they could also not care if there are duplicates. You don't need to polish your list output for a proof of concept code, whatever he needed to prove was proven.
It's not a vulnerability, it's data leakage. Sure you put a wrong name in, most people did not.
And it's not the name that's a concern it's leakage of email addresses that would be prime target for savvy hackers who want bitcoins.
If you could run random addresses against an API offered by a vendor that sells safes for high value valuables and get a match which houses have those safes you become a target.
Sure most people won't try to break in, but those are are in business of doing so will try.
>You are comparing 'vulnerability' of a service meant for people to connect and find each other to a service that handles millions of dollars of users money.
Ridiculous.
So you are saying that this somehow endangered customer funds?
Enumeration isn't a fantastic idea, but given its ubiquity in various forms on major sites throughout the internet, I don't think it's worthy of all of this negative attention directed specifically at Coinbase either. I once wrote a program that could take a list of random emails and use Facebook to turn it into a CSV matching each email to a name, a list of their friends, their location, and interests. That should have been scandalous, but it wasn't.
We are acting as pawns in someone's revenge scheme against Coinbase.