Want to keep the TNW Conference vibe going?? Tickets for TNW2022 are available now >>

The heart of tech

This article was published on April 1, 2014

    Coinbase denies breach, says email and name disclosure is a ‘feature’

    Coinbase denies breach, says email and name disclosure is a ‘feature’
    Josh Ong
    Story by

    Josh Ong

    Josh Ong is the US Editor at The Next Web. He previously worked as TNW's China Editor and LA Reporter. Follow him on Twitter or email him a Josh Ong is the US Editor at The Next Web. He previously worked as TNW's China Editor and LA Reporter. Follow him on Twitter or email him at [email protected].

    Bitcoin wallet firm Coinbasehas responded to a challenge from a security researcher by calling a feature, which allows for the possible phishing of email addresses and names, intended, rather than a vulnerability. The company has also denied that any data breach took place after a list of apparent Coinbase emails and usernames showed up online.

    Researcher Shubham Shah published details of a Coinbase security risk on Monday after becoming frustrated with the company’s lack of communication about the issue. Shah discovered that he could send a series of emails requesting money from different address and receive back a response with the name and email of valid Coinbase users. While the feature doesn’t constitute a security flaw, it could aid would-be attackers who are phishing for addresses associated with Bitcoin.

    Following Shah’s revelations, a list of email addresses and names allegedly belonging to Coinbase customers appeared on anonymous data site Pastebin.

    Coinbase said it has put a rate-limit in place for “sensitive actions” such as requesting money, but Shah did not appear to have bumped up against it while testing his method against 400 emails addresses in quick succession.

    For its part, Coinbase has asserted that a similar email address testing feature is in place at other popular services, including Facebook, Google, Dropbox, PayPal, Venmo and Square Cash.

    “It’s important to note that using an email address to determine if someone has an account on a service is the norm across most Internet sites today,” the company wrote.

    Update on Coinbase Data Security

    Image credit: KingJC / Shutterstock