- ‘Game of Thrones’ failed women—and it’s a shame on its legacy Today 7:40 AM
- How to use Tor, the network that lets you browse the web anonymously Today 7:30 AM
- How to live stream Devin Haney vs. Antonio Moran on DAZN Today 7:00 AM
- Trump’s transphobic policies are disgusting—but they aren’t new Today 6:30 AM
- How to watch the Copa del Rey Final online for free Today 5:45 AM
- How to watch the DFB-Pokal final for free Today 5:30 AM
- Curvy Wife Guy drops music video for rap song ‘Chubby Sexy’ Friday 7:33 PM
- A ‘Black Mirror’-inspired miniseries is coming to YouTube via Netflix Latin America Friday 5:56 PM
- Kanye West appears on David Letterman’s Netflix show to talk Trump, TMZ, and Drake Friday 3:27 PM
- QAnon believers link small-town arrest to deep state conspiracy without evidence Friday 1:58 PM
- Instagram photos showing prison conditions spark massive protest Friday 1:33 PM
- ‘Gay rat wedding’ headline sparks amazing new meme Friday 1:03 PM
- ‘I read a gossip piece’ meme mocks Moby’s Instagram post Friday 12:39 PM
- Rotten Tomatoes wants to see your ticket stub to leave a verified review Friday 11:46 AM
- ‘Sonic the Hedgehog’ movie delayed to 2020 to fix his look Friday 11:39 AM
Coinbase users’ real names, emails ‘leak’ online due to API function
The problem is there. But just how bad is it?
Update: Coinbase has issued a statement on the “hack” and continues to downplay its importance and severity:
“Specifically with regard to the ‘request money’ feature of Coinbase, it is highly inaccurate to suggest that names or emails were leaked or that there has been a breach,” the company says. It adds:
While not ‘unlimited,’ it is intentional that Coinbase users are able to send invoices to an arbitrary number of email addresses. Allowing lists to be invoiced is core functionality of our service, and this functionality is intentionally built into our API. This process simply sends an email with a request. It does not initiate any bitcoin transfer without confirmation from the recipient, and would not be any more effective than more traditional phishing methods, which we spend a considerable amount of time preventing.
You can read the full exchange here.
An anonymous hacker has posted the email addresses and real names of more than 2,000 users, paired with their email address, to Pastebin, and claimed to own a “full list” of every single customer.
A source with knowledge of the situation told the Daily Dot that Coinbase does not believe such a list exists. The company does, however, publicly acknowledge the crux of the hacker’s findings: that anyone with a Coinbase account can send a request for money to literally any email address. If that email address is registered to a Coinbase account, the name associated with the account will appear in the pending transaction.
As a result of this function of Coinbase’s API, anyone who knows your email address can both confirm that you have a Coinbase account and obtain the name associated with that account. A person familiar with Coinbase’s private operations says the author of the Pastebin post likely compiled the list of emails and names using this aspect of the Coinbase API, and did not “hack” into Coinbase’s system.
Addressing the issue on the the forum Hacker One, Coinbase said “We’ve spent a good amount of time investigating this behavior and we believe that the risks are incredibly minor.” Coinbase also noted that it doesn’t require users use their real full name in their account.
Knowledge of the potential problem comes from that Hacker One post’s author, Shubham Shah, who seeks out software vulnerabilities. Shah has been in open contention with Coinbase the past few days about this issue: tweeting about, giving interviews, and even gif-ing the process. On Monday, he posted a blog post detailing how he does it. “I have tried my best to get these bugs fixed,” he wrote. “I mean no harm by posting this, but rather wish to inform Coinbase users.”
Coinbase is adament that it’s not a real hack, tweeting that the company “is, as always, secure–despite April Fools Day speculation.” Despite the reassurance, at least some Coinbase users claim to have received “phishing emails” following publication of the Coinbase user list.
It’s unclear if Shah had anything to do with the list of 2,000 names and email addresses, or if it was compiled by someone who ran with his ideas. Shah didn’t immediately respond to the Daily Dot’s request for comment—but to be fair, he’s apparently in Australia, and it’s the middle of the night there.
Photo via Coinbase. Remix by Fernando Alfonso III
A former senior politics reporter for the Daily Dot, Kevin Collier focuses on privacy, cybersecurity, and issues of importance to the open internet. Since leaving the Daily Dot in March 2016, he has served as a reporter for Vocativ and a cybersecurity correspondent for BuzzFeed.