

Coinbase Response: Data On Merchant Pages - sethbannon
http://blog.coinbase.com/post/47198421272/data-on-merchant-pages#

======
nlh
This is a good, level-headed response. I think a few things are worth pointing
out here:

1) The initial frenzy was (I think) overblown. Lots of people jumping to
conclusions about a 'breach' when it's clear there really wasn't one.

2) Coinbase responded immediately to both posts here and on reddit explaining
that.

3) Despite the fact that it was overblown, they still gave a thorough, smart
response, took responsibility, and posted this within a few hours.

My sense is that there is some anxiety in the Bitcoin world right now. Prices
are high, naysayers are calling for a crash, yaysayers are hoping for $400
Bitcoins, and everyone is on edge for chinks in the armor.

Deep breath everyone...

~~~
politician
Coinbase has had at least one other recent incident. IIRC, downtime or a DDOS.

Considering this is a YC company, I think it's worthwhile to be...
attentive... to Coinbase's operations.

I want them to succeed, but they're definitely deploying into a hostile
environment. It's not cat pictures.

------
nulluk
Disallowing a link in robots.txt will not stop google from indexing the page.
Google "reserve the right" to index the page if they see links going towards
it to stop webmasters shooting themselves in the foot, they however won't
fetch the page in accordance to robots.txt.

The recommended way is to allow google to crawl the page but explicitly
"noindex" the page via the robots meta tag (or even the x-robots header) -
[http://support.google.com/webmasters/bin/answer.py?hl=en&...](http://support.google.com/webmasters/bin/answer.py?hl=en&answer=156449)

Edit: Matt, explaining in a video:
<http://www.youtube.com/watch?v=KBdEwpRQRD0>

------
azov
This is so blown out of proportion... yes, letting Google crawl email
addresses is not kosher, but come on, public data already includes their
company name, website, and phone number, it's not like those merchants are
anonymous.

Given the attention span of the folks who circulated the news in the first
place, I would mention that _no transaction data was leaked_ somewhere in the
first paragraph.

~~~
k-mcgrady
I don't think the problem here was anonymity. As the links were easily
accessible the email addresses were being scraped and there was a phishing
attack being carried out (which Coinbase blogged about yesterday).

------
JimWestergren
They are doing a mistake ....

Never ever ever use robots.txt to prevent indexing.

Robots.txt is only for preventing crawling. Rather detect bots from the user
agent and throw a 404 header with a die and include a meta noindex as well
just in case. Facebook recently got millions of secret URLS indexed in Google
with emails in them - and yes crawling was blocked with robots.txt.

~~~
nulluk
I wouldn't recommend detecting bots, Google will see it as clocking and badly
penalise you for it as it goes against there guidelines:
[http://support.google.com/webmasters/bin/answer.py?hl=en&...](http://support.google.com/webmasters/bin/answer.py?hl=en&answer=66355)

Returning a noindex meta or header should be enough for the honest crawlers,
if your worried about dishonest crawlers then your fighting a loosing battle
and have a different problem all together.

~~~
JimWestergren
Yes meta noindex is the standard way.

But what if you don't want to waste server resources in bots crawling
thousands of meta noindex pages? Perhaps you are using some heavy SQL queries
on those pages.

You can block crawling with robots.txt but then Google won't see the noindex
and URLs will be indexed.

If you block and send a 404 to bots I think that's fine. They will see a blank
page - nothing to gain from that in ranking. So cloaking, perhaps yes, but I
don't think it would be risky.

------
watsonc73
PR by numbers:-

1\. Get in front of the problem; 2\. Offer a full and sincere apology; and 3\.
Provide a forum for users to rant and moan.

------
_Lemon_
I personally feel this is a really minor problem (if that!)

I found my personal phone number appearing on customer bank statements as a
Stripe merchant. That's a bigger deal than exposing an e-mail address, but
it's still a minor issue.

Do you know how Google Checkout solves this? It explicitly states what's
public information to buyers so I can make the decision of what I'm exposing.

~~~
michaelschade
(I work at Stripe)

Sorry this wasn't clear! I can imagine it was a shock to have your number
appear; I'll make sure we make this clearer when signing up.

For some background: it's a card network rule that you include a customer
service phone number; this is intended to help reduce confusion with your
customers and to ensure they have an opportunity to reach out to you. Since
Google is an aggregator, they may include a phone number they control if you
choose to not expose your own.

One approach you might consider is to have your phone number respond with a
message suggesting users email you or visit a certain page on your website.
The important bit is just that your customers have a clear way to get in touch
with you.

------
nym
Brian is very level headed- glad he wrote this up. As a merchant, I'm not very
concerned (my email is already public).

~~~
moot
+1 -- Brian is excellent.

I believe we (4chan) were the first merchant to use their merchant tools and
it's been a real pleasure to get to know Brian and work with his team.

------
benwoody
But I've already have my pitchfork ready and my torch lit :(

------
iblaine
Good response. A++. Will buy (from coinbase) again.

------
jstalin
Sounds like much ado about nothing...

------
mtgx
Weren't they warned about not having a secure checkout page like Paypal, and
against having an unsecure lightbox on the merchant's site, a few months ago
by someone here? Or was that a different issue?

