- Democrats vote to block transgender troop ban 5 Years Ago
- Twitch-famous bounty hunter kicks down target’s door in wildly popular live stream 5 Years Ago
- New GOP bill would audit major tech companies for bias 5 Years Ago
- Instagram artist accused of faking her paintings says they’re ‘100%’ real 5 Years Ago
- Trump refuses to apologize for Central Park Five death penalty ads Today 11:08 AM
- While Rubio smiles at Trump’s campaign rally, the internet drags him Today 11:04 AM
- Dr Disrespect is still banned from Twitch. When will he be back? Today 10:36 AM
- ‘Avengers: Endgame’ is returning to theaters with new material Today 10:18 AM
- House fails to pass amendment curbing government surveillance Today 10:12 AM
- What happened when Ed Krassenstein crashed the Chapo Trap House subreddit Today 9:21 AM
- Andrew Yang comes out as pro-Bird Scooters Today 8:59 AM
- Netflix claims Adam Sandler’s ‘Murder Mystery’ broke viewing records Today 8:09 AM
- How to watch ‘Yellowstone’ online for free Today 8:00 AM
- How online allies joined a trans artist’s street art war Today 7:30 AM
- These edited videos show the dark side of your favorite cartoons Today 7:00 AM
Coinbase users’ real names, emails ‘leak’ online due to API function
The problem is there. But just how bad is it?
Update: Coinbase has issued a statement on the “hack” and continues to downplay its importance and severity:
“Specifically with regard to the ‘request money’ feature of Coinbase, it is highly inaccurate to suggest that names or emails were leaked or that there has been a breach,” the company says. It adds:
While not ‘unlimited,’ it is intentional that Coinbase users are able to send invoices to an arbitrary number of email addresses. Allowing lists to be invoiced is core functionality of our service, and this functionality is intentionally built into our API. This process simply sends an email with a request. It does not initiate any bitcoin transfer without confirmation from the recipient, and would not be any more effective than more traditional phishing methods, which we spend a considerable amount of time preventing.
You can read the full exchange here.
An anonymous hacker has posted the email addresses and real names of more than 2,000 users, paired with their email address, to Pastebin, and claimed to own a “full list” of every single customer.
A source with knowledge of the situation told the Daily Dot that Coinbase does not believe such a list exists. The company does, however, publicly acknowledge the crux of the hacker’s findings: that anyone with a Coinbase account can send a request for money to literally any email address. If that email address is registered to a Coinbase account, the name associated with the account will appear in the pending transaction.
As a result of this function of Coinbase’s API, anyone who knows your email address can both confirm that you have a Coinbase account and obtain the name associated with that account. A person familiar with Coinbase’s private operations says the author of the Pastebin post likely compiled the list of emails and names using this aspect of the Coinbase API, and did not “hack” into Coinbase’s system.
Addressing the issue on the the forum Hacker One, Coinbase said “We’ve spent a good amount of time investigating this behavior and we believe that the risks are incredibly minor.” Coinbase also noted that it doesn’t require users use their real full name in their account.
Knowledge of the potential problem comes from that Hacker One post’s author, Shubham Shah, who seeks out software vulnerabilities. Shah has been in open contention with Coinbase the past few days about this issue: tweeting about, giving interviews, and even gif-ing the process. On Monday, he posted a blog post detailing how he does it. “I have tried my best to get these bugs fixed,” he wrote. “I mean no harm by posting this, but rather wish to inform Coinbase users.”
Coinbase is adament that it’s not a real hack, tweeting that the company “is, as always, secure–despite April Fools Day speculation.” Despite the reassurance, at least some Coinbase users claim to have received “phishing emails” following publication of the Coinbase user list.
It’s unclear if Shah had anything to do with the list of 2,000 names and email addresses, or if it was compiled by someone who ran with his ideas. Shah didn’t immediately respond to the Daily Dot’s request for comment—but to be fair, he’s apparently in Australia, and it’s the middle of the night there.
Photo via Coinbase. Remix by Fernando Alfonso III
A former senior politics reporter for the Daily Dot, Kevin Collier focuses on privacy, cybersecurity, and issues of importance to the open internet. Since leaving the Daily Dot in March 2016, he has served as a reporter for Vocativ and a cybersecurity correspondent for BuzzFeed.