In a post on the Coinbase blog yesterday, the company clarified that there had been no security breech.
Despite speculation on a few forums, there has been no data breach of names or emails at Coinbase. We wanted to take this opportunity to address any concerns. … Specifically with regard to the ‘request money’ feature of Coinbase, it is highly inaccurate to suggest that names or emails were leaked or that there has been a breach.
One of the larger concerns about the leaked list is that it could be used for phishing scams, something noted by Australia-based security researcher Shubham Shah. Shah explained his concerns and frustrations with Coinbase on his website on March 31, a day before the list was released. His post also explained a method for “scraping” a list of emails from the Coinbase API, although he told CoinDesk that he was not the source of the leaked document.
Coinbase responded to these concerns, noting that Shah’s post is inaccurate, and that while it is possible to use email addresses to identify users, this is an intentional part of the site’s functionality and a standard across the web. Sites like Facebook, Google, Dropbox and PayPal have almost identical systems. What’s more, Coinbase claims, Shah’s concern about phishing risks and spam attacks is exaggerated do to rate limiting.
[The invoice email] process simply sends an email with a request. It does not initiate any bitcoin transfer without confirmation from the recipient, and would not be any more effective than more traditional phishing methods, which we spend a considerable amount of time preventing. … We’ve spent a good amount of time investigating this behavior and we believe that the risks are minor.
The Coinbase post also directly addressed the rumor that the site’s user list had been leaked, rather than scraped.
This list (the size of which is less than one half of one percent of Coinbase users) was not the result of a data breach at Coinbase. This list of emails was likely sourced from other sites – probably Bitcoin related ones. It’s clear there was no data breach because no other user information is provided.