- Fans are surprisingly hyping Moby up for his new vegan tattoo Tuesday 6:13 PM
- Suspicionless searches of travelers’ electronics ruled unconstitutional Tuesday 5:22 PM
- Facebook testing TikTok clone within Instagram called Reels Tuesday 5:11 PM
- Han Solo shooting scene changed yet again, spawning ‘Maclunkey’ memes Tuesday 4:52 PM
- Facebook bug opened iPhone cameras while users scrolled their feeds Tuesday 4:36 PM
- Black Facebook employees say company racism has ‘gotten worse’ Tuesday 4:01 PM
- This fish with a ‘human face’ is here to give you nightmares Tuesday 3:28 PM
- TikTok’s piercing challenge leaves the fate of your face up to a filter Tuesday 2:54 PM
- Soldiers with top-secret clearance say they were ordered to install a sketchy app Tuesday 2:46 PM
- How to take your Korean beauty routine on the go Tuesday 2:24 PM
- Disney+’s ‘Encore!’ is a love letter to high school theater Tuesday 2:15 PM
- White tourist filmed shouting homophobic, racist slurs Tuesday 1:31 PM
- U.K. advocacy group releases deepfakes of Corbyn, Johnson endorsing each other Tuesday 1:07 PM
- ‘The Mandalorian’ series premiere throws ‘Star Wars’ in the middle of the wild west Tuesday 12:35 PM
- A total guide to bone conduction headphones, plus our recommendations Tuesday 12:34 PM
Coinbase users’ real names, emails ‘leak’ online due to API function
The problem is there. But just how bad is it?
Update: Coinbase has issued a statement on the “hack” and continues to downplay its importance and severity:
“Specifically with regard to the ‘request money’ feature of Coinbase, it is highly inaccurate to suggest that names or emails were leaked or that there has been a breach,” the company says. It adds:
While not ‘unlimited,’ it is intentional that Coinbase users are able to send invoices to an arbitrary number of email addresses. Allowing lists to be invoiced is core functionality of our service, and this functionality is intentionally built into our API. This process simply sends an email with a request. It does not initiate any bitcoin transfer without confirmation from the recipient, and would not be any more effective than more traditional phishing methods, which we spend a considerable amount of time preventing.
You can read the full exchange here.
An anonymous hacker has posted the email addresses and real names of more than 2,000 users, paired with their email address, to Pastebin, and claimed to own a “full list” of every single customer.
A source with knowledge of the situation told the Daily Dot that Coinbase does not believe such a list exists. The company does, however, publicly acknowledge the crux of the hacker’s findings: that anyone with a Coinbase account can send a request for money to literally any email address. If that email address is registered to a Coinbase account, the name associated with the account will appear in the pending transaction.
As a result of this function of Coinbase’s API, anyone who knows your email address can both confirm that you have a Coinbase account and obtain the name associated with that account. A person familiar with Coinbase’s private operations says the author of the Pastebin post likely compiled the list of emails and names using this aspect of the Coinbase API, and did not “hack” into Coinbase’s system.
Addressing the issue on the the forum Hacker One, Coinbase said “We’ve spent a good amount of time investigating this behavior and we believe that the risks are incredibly minor.” Coinbase also noted that it doesn’t require users use their real full name in their account.
Knowledge of the potential problem comes from that Hacker One post’s author, Shubham Shah, who seeks out software vulnerabilities. Shah has been in open contention with Coinbase the past few days about this issue: tweeting about, giving interviews, and even gif-ing the process. On Monday, he posted a blog post detailing how he does it. “I have tried my best to get these bugs fixed,” he wrote. “I mean no harm by posting this, but rather wish to inform Coinbase users.”
Coinbase is adament that it’s not a real hack, tweeting that the company “is, as always, secure–despite April Fools Day speculation.” Despite the reassurance, at least some Coinbase users claim to have received “phishing emails” following publication of the Coinbase user list.
It’s unclear if Shah had anything to do with the list of 2,000 names and email addresses, or if it was compiled by someone who ran with his ideas. Shah didn’t immediately respond to the Daily Dot’s request for comment—but to be fair, he’s apparently in Australia, and it’s the middle of the night there.
Photo via Coinbase. Remix by Fernando Alfonso III
A former senior politics reporter for the Daily Dot, Kevin Collier focuses on privacy, cybersecurity, and issues of importance to the open internet. Since leaving the Daily Dot in March 2016, he has served as a reporter for Vocativ and a cybersecurity correspondent for BuzzFeed.