Coinbase denies it was hacked, or that it's under a government gag order

The bitcoin wallet denied it suffered a hack or data breach, despite the leak of customer email addresses, and said the claims it is under a gag order are "just not true."
Written by Zack Whittaker, Contributor
Image: CNET/CBS Interactive

A list of customers' names that was leaked online on Tuesday did belong to online bitcoin wallet site Coinbase, but the company denied it had suffered a data breach.

In a statement on its website, Coinbase director of security Ryan McGeehan confirmed that the list of users published was "less than one half of one percent" of Coinbase users.

"This list of emails was likely sourced from other sites — probably Bitcoin related ones," he said.

An anonymous leaker posted to Hacker News at 9am (ET) a link to Pastebin, which contained hundreds of alleged Coinbase customers' names and email addresses. Though some of these names were duplicated, the online thread was quick to point to a vulnerability that was closed without fixing may have been behind the leak of email addresses and names.

The vulnerability said that Coinbase members could be identified by their email addresses. Many on the thread accused Coinbase of ignoring the submitter's warnings, but one Coinbase employee said the company may have missed reports to its white-hat email submission list because of an email system transition.

But McGeehan explained in the blog post that the email and user enumeration on Coinbase "is the norm across most internet sites today," citing Facebook, Google, and Dropbox as others that can be used to determine whether users exist on the site or not. 

He added:

You'll also find many leading payment services allow user enumeration, including Paypal, Venmo, Square Cash, and many others.  One simply needs to try sending or requesting money using one of these services to an email address to see this in action. The name of the user or business will be revealed on the next step.

He noted that the ability to request money from others, which was described as part of the "core functionality" of it service, requires an email address, and that after investigating this behavior, "we believe the risks are minor."

However, one of the allegations made by the leaker on Pastebin remains in question — that the company is under a "gag order" and that it "provides your full transaction history to the FBI, FinCEN and IRS every day." 

A Coinbase spokesperson told ZDNet on the phone that it does work with U.S. authorities, notably FinCEN — a financial crimes enforcement agency as part of the U.S. Treasury Dept. — but denied that the company is under a gag order.

Nevertheless, after a difficult few months in the cryptocurrency circles, notably the shuttering of the Mt. Gox bitcoin exchange, the community was left again shaken by the leak. Many were however quick to calm fears about the company's security policies. 

Ryan Muller, who said on the thread that he was a victim of the leak, told ZDNet by email that he has "completely lost faith in any company's ability to manage bitcoin," and would be pulling out of the service altogether.

"Coinbase could have raised the cost of attack, say by rate-limiting requests." He said while this wouldn't have necessarily prevented his email address from being confirmed, it would have slowed the execution to make it more difficult for the attacker.

"It's not that this 'hack' poses any specific threat, except now that I'm on another email list I can expect more spam in my inbox," he added. "It's the cavalier attitude towards security that this company takes that bothers me and is why I won't be storing any money with them anymore."

"The irritant here is not so much that the attackers have my email address from another source (although that is unsettling); it's that they've now publicized it so that now I'm open to a much wider range of attackers."

Editorial standards