
Coinbase Merchant Data Leak? - dirtyaura
https://bitcointalk.org/index.php?topic=167900.0
======
cocoflunchy
I think we should all calm down and look at this in a little more detail.

A simple look at <https://coinbase.com/merchants> will show you a screenshot
of a merchant page that looks exactly the same as those 'exposed' by google
([https://encrypted.google.com/search?q=site:https://coinbase....](https://encrypted.google.com/search?q=site:https://coinbase.com/checkouts/))

Until proved otherwise, I believe these pages to be merchant pages actually
selling the items, as the copy also suggests ("Send 1.00BTC to...", "Comfirm
payment"). The confusion must come, I suppose, from the ambiguous urls that
contain /checkouts/... and from people not really liking Coinbase?

Edit: Funny how this is a perfect example of the 'URLs are for people, not
computers' argument that is number 2 on HN right now.

------
Irregardless
Wow, this company went through YC? I hope they only invested bitcoins...

It's one thing to lose people's bitcoins or randomly delay/cancel transactions
(both of which Coinbase has been accused of). People know that bitcoin is
still young and the companies supporting it are inexperienced, so they expect
that. But exposing personal info and purchase history goes beyond any
definition of 'unacceptable' or 'incompetent'. Over in the Reddit thread,
they're already linking Facebook accounts with illicit transactions.

Users from Bitcointalk told Coinbase a week ago that they were starting to get
phishing emails, which means someone has been mining this data for a while
now. Yet there it is, _still_ available through a simple Google search.

~~~
niggler
"Yet there it is, still available through a simple Google search."

Let's say, for some reason, you have some information from a site you own that
you want to remove from Google search. How long does it take to remove it?

~~~
nwh
There's a link in the webmaster tool asking for speedy deletion. I'm assuming
that means gone within hours.

~~~
jlgaddis
Right, but only the owners/admins for _that domain_ can use it. In other
words, I couldn't request that a page on coinbase.org be removed -- only the
Coinbase folks can.

------
h2s
Jesus H Christ, this is quite a fuck up. Over on /r/bitcoin there's a comment
linking to a transaction involving 229BTC worth of "Avalance Spa Powder",
which is one of those synthetic drugs of ambiguous legality. That's quite a
violation of trust on Coinbase's part. Their reputation is nuked. (Edit:
Please note that I am 100% wrong about this. Why don't I just shut the fuck up
for once?).

~~~
Geee
[https://coinbase.com/checkouts/dd24f66b49e34b97d2bbe0e3a9a2e...](https://coinbase.com/checkouts/dd24f66b49e34b97d2bbe0e3a9a2eeb4)

It is someone SELLING Avalanche Spa Powder. These all are checkout pages of
sellers, not transactions. This particular checkout was probably indexed from
legalhighaz.com which was run by <https://twitter.com/legalhighsaz>

~~~
h2s
I see. Now I feel bad for overreacting. In my defense, these pages look a lot
more like receipts than purchase pages. I would normally expect a purchase
page to have some visually emphasised call to action. I still genuinely feel a
little guilty for contributing to any hysteria about this with my comment
above though.

~~~
Geee
Well, it seems that almost everyone in this thread and on Reddit are wrong on
this one.

------
bti
Amateur hour over there. I originally signed up because they were a YC backed
startup. Thankfully I never got around to doing any actual transactions.

~~~
fyi80
YC is an investment fund and business networking program. It provides no
technical base.

Which is a bid silly, since (1) almost every YC-backed companty uses the the
same technical infrastructure as many others, and (2) Paul Graham made his
fortune building a self-service platform to build ecommerce websites just like
YC business websites.

Free YC startup idea: Build an ecommerce platform and tecnical management for
hosting startups. There's no reason YC should be promoting this legend of "CS
whiz kids" as "technical founders". Just set up a solid ecommerce platform,
and take on YC founders with business ideas to run their business on the YC
stack.

The result will be much better websites, and a bunch of high-paying jobs for
the engineers who can build quality sites. YC can be the next Yahoo Stores.
Heck, Paul Graham can probably buy Yahoo Stores division that bought ViaWeb in
the first place.

------
rdl
Oh my god, someone found _merchant pages offering stuff for sale_.

They shouldn't be indexed, but on the 1-10 scale of security vulnerabilities,
this is about a 1.05.

OTOH finding it is not very far off what Weev got 3.5 years in federal prison
for, though, under CFAA.

~~~
danielpal
I don't understand why there's a big issue with being indexed? In fact they
should be indexed if they remove the e-mail address from the page. Isn't the
goal of this pages to sell more? Don't people use search engines to find stuff
to buy?

The whole thing is just a big misunderstanding.

~~~
rdl
I think people are right to be on a "hair trigger" w.r.t. vulnerabilities at
wallet providers, given the atrocious track record of almost everyone involved
in the bitcoin industry for security.

OTOH, Coinbase and Coinlab (the new Mt. Gox) are the entities I'd trust the
most not to be outright fraudulent, since they're venture funded. The founders
stand to gain far more by being honest than running off with BTC, and the
reputation of investors (including YC) would be harmed far more by fraud, so
the only real risk is outside compromise, employee compromise, etc.

Coinbase has done a better job on security than any other BTC entity I've seen
(although I've looked at them more closely than all but a few other
providers).

------
bcl
These are buy it now / donation pages. These are NOT checkout pages for
coinbase users.

------
pathy
Why are the checkout pages even public? No robots.txt, a lot of private
information listed and public.

Shameful. I know little about web development but this seems rather obvious,
even to me.

~~~
clicks
[https://encrypted.google.com/search?q=site:https://coinbase....](https://encrypted.google.com/search?q=site:https://coinbase.com/checkouts/)

Phone no., names, addresses, e-mails, etc. all out. This is indeed pretty bad.
A lot of people I know who use BTC use it foremost for privacy reasons, it is
tremendously ironic how this has worked out.

~~~
thefreeman
If you are using BTC for privacy, then using a third party hosted wallet is
not a very good plan.

~~~
johnyzee
Presumably you can take your bitcoins out whenever you want if you need to use
them anonymously.

------
tptacek
If the first 6 or so SERPs are representative of Bitcoin as a whole, it
appears to be a currency that exists primarily to facilitate donations to
blogs and websites. No wonder YC funded Coinbase; it let them take another
whack at Tipjoy!

~~~
DanBC
I'm fascinated at the data revealed by leaks.

I really hope someone is scraping this to create some nice graphs and charts.

------
Geee
Damn.. These are not transactions! These are public anyway on the merchant's
site.

Just try out <https://coinbase.com/docs/merchant_tools/payment_pages> and
press the button. It goes to the checkout page similar to these.

------
jgrahamc
20 reddit.com upvotes: 0.20BTC

[https://coinbase.com/checkouts/35297a275c385a75d231fd4a6edd5...](https://coinbase.com/checkouts/35297a275c385a75d231fd4a6edd56ca)

So that's currently $1.34 per upvote. Seems like a lot.

~~~
dabeeeenster
It's not when the price of coins is 5 USD per coin...

~~~
nwh
Coinbase started in June 2012, the lowest it has been since then is $10USD.

------
MattBearman
I'm quite surprised that over an hour after this was posted, these checkout
pages are STILL public!

If I were running Coinbase I'd have put the site into some kind of 'down for
maintenance' state immediately, and then put all my effort into plugging the
leak.

Of course the Google et al indexes are a more difficult problem, but at least
stop any more from leaking.

Edit: It has been pointed out that these are seller pages, with sellers
details only, so not a data leak at all. I retract my previous statement :)

~~~
atourgates
That's because it's not a leak. These are checkout pages that sellers have
chosen to make public.

------
rheide
This is shamefully bad. There is no excuse for this.

~~~
joelrunyon
I was going to add on to this, but I think that's all that needs to be said.

This is bad.

~~~
dangoldin
Especially more so if people used it to buy illegal drugs and now have their
checkout info available in Google..

------
thomasjames
The cryptocurrency company that's never heard of cryptography. Bringing you
your world in plain text.

------
r-shirt
I trusted coinbase to cashout two years worth of bitcoin paid to my online
t-shirt business. First they ignored me for two weeks[0], then they promised
the funds would be deposited yesterday. They're still not deposited today[1].

[0]:
[http://www.reddit.com/r/Bitcoin/comments/1bdd8p/iama_bitcoin...](http://www.reddit.com/r/Bitcoin/comments/1bdd8p/iama_bitcoinaccepting_merchant_with_serious/)

[1]: <http://i.imgur.com/fNoXvMH.png> and <http://i.imgur.com/brlY2Ry.png>

~~~
barmstrong
Added a response on Reddit also:
[http://www.reddit.com/r/Bitcoin/comments/1bdd8p/iama_bitcoin...](http://www.reddit.com/r/Bitcoin/comments/1bdd8p/iama_bitcoinaccepting_merchant_with_serious/c95yd66)

Should now be resolved with all funds paid out - but the delayed response was
definitely our fault as we ramp up support. Thank you for bearing with us!

------
uvdiv
(YC S12)

~~~
niggler
I wouldn't be surprised if that were edited out. It has happened in the past
with other criticisms of coinbase.

~~~
wilfra
*it has happened in the past with all sorts of submissions (both positive and negative) about all sorts of companies because it is part of the rules of HN.

Is the rule applied 100% of the time so that nobody will be able to find any
exceptions? No. We're talking about humans here. But they are pretty
consistent. Especially for stuff that hits the front page.

~~~
niggler
"But they are pretty consistent."

Discussed last time there was a front-page article:
<https://news.ycombinator.com/item?id=5428402>

I pointed out that "Coinbase (YC S12) hires first engineer"
<http://news.ycombinator.com/item?id=5011361> didn't conform to the standards.

~~~
wilfra
As I said, there are exceptions. Humans do this, not algorithms. It's thus
understandable how you found a two point submission that nobody ever saw which
was overlooked.

------
randlet
Searching google for coinbase checkouts:
[https://encrypted.google.com/search?q=site:https://coinbase....](https://encrypted.google.com/search?q=site:https://coinbase.com/checkouts/)

Yikes.

------
mdelias
Link to close your account:

<https://coinbase.com/account/cancel>

------
abailin
Can somebody explain how Google was able to index all these checkout pages?
Presumably they were only sent over email.

~~~
nwh
Google uses the "completion" feature of Google Chrome to collect new URLs to
scrape. If you have that on, they crawl after your visit.

~~~
h2s
Do you have any links that go into detail on this? I was intrigued by your
comment and I want to read more about it but ironically I couldn't find
anything on Google!

~~~
nwh
I can't find the paper I read on it either, but I can confirm that it happens
anecdotally with Google, and oddly enough AIM Messenger. I've had URLs that
have never had an inbound link, and magically GoogleBot rocks up when I show a
Chrome user. I'll keep looking for it.

------
jstalin
I want to like coinbase, but 100% of the time that I try to buy bitcoins it
says that it has run through its daily allotment and to try again in 24 hours.

------
DanBC
EDIT: I wrote this before people suggested that this 'leak' is just a list of
people selling stuff, and not people buying stuff. Oh well. I leave my comment
here, mostly because of bath-salts-guy - selling a large quantity of stuff of
dubious legality should probably be done more carefully.

Sorry to Coinbase people for jumping onto a pile-on before getting correct
information. \---

Regular people are hopeless when it comes to privacy and anonymity. Just look
at something simple like "Don't chose a ridiculously easy password", and then
look at any leaked password list.

When users fail so hard at the trivial stuff (where we've had advice on best
practice for years) how are they expected to succeed at tricky stuff like
crypto currencies?

This lack of user knowledge makes any coinbase[1] failures particularly bad.
It's bad because you're supposed to protect your users. It's also bad because
it's a failed business opportunity - 'hand hold naive users through a complex
crypto process' is an unfilled niche.

I was excited about Coinbase. I really wanted them to do well. But this? It's
going to take some work to recover from this.

------
iblaine
Please read past the headline. There is a lot of uneducated sensationalism
criticism going on. The data leak has exposed info that is already public, and
basically harmless. Given someone with enough time and effort can turn this
public info into a seedy crime, like using the contact list for phishing, the
average coinbase user is far removed from this so called 'data leak.'

------
shocks
I considered posting this, but wasn't sure how the HN community would react.
Glad someone else did. Here's something scary:

[https://www.facebook.com/harley.skyberg?ref=ts&fref=ts](https://www.facebook.com/harley.skyberg?ref=ts&fref=ts)

bought

[https://coinbase.com/checkouts/dd24f66b49e34b97d2bbe0e3a9a2e...](https://coinbase.com/checkouts/dd24f66b49e34b97d2bbe0e3a9a2eeb4)

Oh dear.

~~~
apaprocki
He's the person selling, not the person buying. These pages are essentially
merchant 'buy' buttons.

------
EarthLaunch
These threads are full of misinformation and knee-jerk reactions to a problem
so minor that it is barely worth noticing. And the title ("Coinbase User Data
Leak?") is misleading - where's the zealous title editing now? The Reddit
thread is even worse. This is more revealing of the HN community than it is of
Coinbase, who hasn't done anything wrong. Disgusting.

------
pungoyal
these are merchant pages, not actual transaction invoices. checkout - a poor
choice of name of the resource for the job it intends to do ;]

------
cargo8
While this is bad, I do feel like anyone using a hosted wallet like Coinbase
where you directly link a bank account (which I think is rare among bitcoin
exchanges, etc) can't be expecting full anonymity. Coinbase is a registered
company and if they have bank accounts linked then their identities are
compromised anyway if the company were to get subpoenaed, I'd imagine.

If they want anonymity they should be personally holding their own wallet.
Most exchanges only allow some sort of cash order deposit, for this reason
exactly.

------
drcode
The irony is that bitcoins is the perfect technology for preventing these
kinds of data leaks- If only some more capable developers could start opening
bitcoin businesses.

------
jwcrux
My Twitter bot, @dumpmon, found a leak of these here:
<http://pastebin.com/raw.php?i=b34a2X3b>

------
tibbon
This has been said again and again- the main thing that Coinbase needs to do
right now is to get better about their communications with the public.

Its understandable that a fast-growing startup in a new field, doing
transaction-based work, will hit some bumps along the way. But they need to
keep the community in the loop better. Twitter, blog, posting to threads like
this (they know HN exists!)

------
JimmaDaRustla
But...but...but it's a beta!!

Sorry, had to do it ;)

------
bredren
Haters gonna hate.

------
fyi80
You know, when people were posting every blog rant about Haskell, at least a
small bit of knowledge was being circulated. This bitcoin fad is dredging the
bottom of the barrel -- dozens of upvoted comments written by people who can't
tell the difference between an advertisement and a transaction confirmation.

