This article was published on April 1, 2014

Coinbase denies breach, says email and name disclosure is a ‘feature’


Coinbase denies breach, says email and name disclosure is a ‘feature’

Bitcoin wallet firm Coinbase has responded to a challenge from a security researcher by calling a feature, which allows for the possible phishing of email addresses and names, intended, rather than a vulnerability. The company has also denied that any data breach took place after a list of apparent Coinbase emails and usernames showed up online.

Researcher Shubham Shah published details of a Coinbase security risk on Monday after becoming frustrated with the company’s lack of communication about the issue. Shah discovered that he could send a series of emails requesting money from different address and receive back a response with the name and email of valid Coinbase users. While the feature doesn’t constitute a security flaw, it could aid would-be attackers who are phishing for addresses associated with Bitcoin.

Following Shah’s revelations, a list of email addresses and names allegedly belonging to Coinbase customers appeared on anonymous data site Pastebin.

Coinbase said it has put a rate-limit in place for “sensitive actions” such as requesting money, but Shah did not appear to have bumped up against it while testing his method against 400 emails addresses in quick succession.

For its part, Coinbase has asserted that a similar email address testing feature is in place at other popular services, including Facebook, Google, Dropbox, PayPal, Venmo and Square Cash.

“It’s important to note that using an email address to determine if someone has an account on a service is the norm across most Internet sites today,” the company wrote.

Update on Coinbase Data Security

Image credit: KingJC / Shutterstock

Get the TNW newsletter

Get the most important tech news in your inbox each week.