A simple look at https://coinbase.com/merchants will show you a screenshot of a merchant page that looks exactly the same as those 'exposed' by google (https://encrypted.google.com/search?q=site:https://coinbase....)
Until proved otherwise, I believe these pages to be merchant pages actually selling the items, as the copy also suggests ("Send 1.00BTC to...", "Comfirm payment"). The confusion must come, I suppose, from the ambiguous urls that contain /checkouts/... and from people not really liking Coinbase?
Edit: Funny how this is a perfect example of the 'URLs are for people, not computers' argument that is number 2 on HN right now.
It's one thing to lose people's bitcoins or randomly delay/cancel transactions (both of which Coinbase has been accused of). People know that bitcoin is still young and the companies supporting it are inexperienced, so they expect that. But exposing personal info and purchase history goes beyond any definition of 'unacceptable' or 'incompetent'. Over in the Reddit thread, they're already linking Facebook accounts with illicit transactions.
Users from Bitcointalk told Coinbase a week ago that they were starting to get phishing emails, which means someone has been mining this data for a while now. Yet there it is, still available through a simple Google search.
Just updated with a blog post: http://blog.coinbase.com/post/47198421272/data-on-public-mer...
These are merchant checkout pages. Your information is not going to be shown on one of these pages unless you created a "buy now" button, donate button, or checkout page and posted a public link to it somewhere as a merchant. Order pages are designed to be public so customers can reach them, but we messed up by making them publicly indexable and including merchant contact info there without being more explicit. The email in particular should not have been included. More details in the blog post. Very sorry for the trouble on this!
Why can't those stay anonymous?
And was actively defended and supported the last time a thread came up questioning the issues that Coinbase was having:
Turns out those questions were justified. They've outted people selling bath salts and god knows what else.
So much for anonymity. Between this, MtGox, Instawallet, do we still believe Bitcoin is taking over the world?
You don't really believe this, do you?
On the other hand, if you actually look at what these pages are, they're Checkout pages, not Transaction pages. Coinbase sellers generated these pages and intentionally linked to them. Someone even mentions this in the fourth comment on the linked page.
Let's say, for some reason, you have some information from a site you own that you want to remove from Google search. How long does it take to remove it?
It is someone SELLING Avalanche Spa Powder. These all are checkout pages of sellers, not transactions. This particular checkout was probably indexed from legalhighaz.com which was run by https://twitter.com/legalhighsaz
If someone was looking to leave coinbase, who else provides a similar service?
The POINT of bitcoin is to be decentralized. Just carry the bitcoin key in your phone directly. https://play.google.com/store/apps/details?id=de.schildbach....
Why do people think they need a web app for this sort of thing?
Due to the success of that no-install, no-config business model, a certain type of consumer can't understand files or folders, or understand why you would have something on your own computer, other than to break syncing.
Also it makes it easier to dabble?
It gained little to no interest.
Correct me if I'm wrong, but didn't most financial services exist with other currencies long before there was government backing (e.g. FDIC for savings accounts)? It's still really early in the bitcoin game, and I wouldn't be surprised if many of the bitcoin services around today are shady or incompetent, but it takes a long time for reputation-based industries to get up and running.
In an inflationary fiat currency, (ie: USD), banks who hold on to your savings loan it out and make money. However, given the economics of bitcoins, it seems unlikely to be able to make a profit by loaning out BTC right now (possibly ever, due to the deflationary nature of BTC)
Bitcoin financial services are going to look very different from your typical fiat-based banks. Not only because of Bitcoin's unique benefits and challenges... but because its economics are vastly different from other currencies.
Bitcoin Wallet Services will gain a reputation, but will then fail to earn a profit. They make no business sense.
About a week later, someone from Apple called me on the phone to let me know that BitPak had been removed from the App Store. The guy on the phone sounded like a nervous teenager. I asked him why this had happened, and he said “Because that Bitcoin thing is not legal in all jurisdictions for which BitPak is for sale”. I inquired as to which jurisdictions Bitcoin was deemed to be illlegal in, and he told me “that is up to you to figure out”. I asked him which laws Bitcoin violated, and again, he replied that “that is up to you to determine”. I told the kid on the phone that he has in fact told me nothing and was most unhelpful.
They're faster, easier to use, don't require installation and don't require a lot of hard-drive space. 8 GiB database is a bit too much to be wasted on my small SSD, when I can use blockchain.info's wallet.
If you're downloading it "from the cloud" every time, your compromised phone can keylog your password, and the attacker can then download your private key "from the cloud" himself.
Sure, not using your bitcoins anywhere is extremely secure. But lets be honest here: you need to move that private key around with you. The true security measure is to have two wallets, two private keys. Transfer money over to the wallet on your phone only for temporary measures. If it looks like you have had any funky transactions, get a new phone, and a new wallet.
Your "offline wallet" remains secure and encrypted at home. But you need to put some money on your phone somehow. The most secure way of doing that is just leaving it on the phone, and making sure that private key never touches the internet.
Out of curiosity, do you know its chemical name?
Which is a bid silly, since (1) almost every YC-backed companty uses the the same technical infrastructure as many others, and (2) Paul Graham made his fortune building a self-service platform to build ecommerce websites just like YC business websites.
Free YC startup idea: Build an ecommerce platform and tecnical management for hosting startups. There's no reason YC should be promoting this legend of "CS whiz kids" as "technical founders". Just set up a solid ecommerce platform, and take on YC founders with business ideas to run their business on the YC stack.
The result will be much better websites, and a bunch of high-paying jobs for the engineers who can build quality sites. YC can be the next Yahoo Stores. Heck, Paul Graham can probably buy Yahoo Stores division that bought ViaWeb in the first place.
They shouldn't be indexed, but on the 1-10 scale of security vulnerabilities, this is about a 1.05.
OTOH finding it is not very far off what Weev got 3.5 years in federal prison for, though, under CFAA.
The whole thing is just a big misunderstanding.
OTOH, Coinbase and Coinlab (the new Mt. Gox) are the entities I'd trust the most not to be outright fraudulent, since they're venture funded. The founders stand to gain far more by being honest than running off with BTC, and the reputation of investors (including YC) would be harmed far more by fraud, so the only real risk is outside compromise, employee compromise, etc.
Coinbase has done a better job on security than any other BTC entity I've seen (although I've looked at them more closely than all but a few other providers).
Shameful. I know little about web development but this seems rather obvious, even to me.
Phone no., names, addresses, e-mails, etc. all out. This is indeed pretty bad. A lot of people I know who use BTC use it foremost for privacy reasons, it is tremendously ironic how this has worked out.
The downside is that Google will still crawl the page and use your bandwidth, but the page won't be indexed.
I really hope someone is scraping this to create some nice graphs and charts.
Just try out https://coinbase.com/docs/merchant_tools/payment_pages and press the button. It goes to the checkout page similar to these.
So that's currently $1.34 per upvote. Seems like a lot.
If I were running Coinbase I'd have put the site into some kind of 'down for maintenance' state immediately, and then put all my effort into plugging the leak.
Of course the Google et al indexes are a more difficult problem, but at least stop any more from leaking.
It has been pointed out that these are seller pages, with sellers details only, so not a data leak at all. I retract my previous statement :)
This is bad.
: http://i.imgur.com/fNoXvMH.png and http://i.imgur.com/brlY2Ry.png
Should now be resolved with all funds paid out - but the delayed response was definitely our fault as we ramp up support. Thank you for bearing with us!
Is the rule applied 100% of the time so that nobody will be able to find any exceptions? No. We're talking about humans here. But they are pretty consistent. Especially for stuff that hits the front page.
Discussed last time there was a front-page article: https://news.ycombinator.com/item?id=5428402
I pointed out that "Coinbase (YC S12) hires first engineer" http://news.ycombinator.com/item?id=5011361 didn't conform to the standards.
The more likely thing you are experiencing is Google reading your AJAX URLs, either by evaluating JS or by using heuristics. Google is known to do both of these, but a lot of HNers get surprised when I mention it, so FYI.
Also, these features are enabled by default.
Sorry to Coinbase people for jumping onto a pile-on before getting correct information.
Regular people are hopeless when it comes to privacy and anonymity. Just look at something simple like "Don't chose a ridiculously easy password", and then look at any leaked password list.
When users fail so hard at the trivial stuff (where we've had advice on best practice for years) how are they expected to succeed at tricky stuff like crypto currencies?
This lack of user knowledge makes any coinbase failures particularly bad. It's bad because you're supposed to protect your users. It's also bad because it's a failed business opportunity - 'hand hold naive users through a complex crypto process' is an unfilled niche.
I was excited about Coinbase. I really wanted them to do well. But this? It's going to take some work to recover from this.
Is there a date attached to that? (To work out rough quantities). It seems like a significant quantity. While we might not agree with what law enforcement do about drug and borderline-legal substances we know that law enforcement does take vigorous action.
As do the US tax people. I guess his yearly audits suddenly got worse.
If they want anonymity they should be personally holding their own wallet. Most exchanges only allow some sort of cash order deposit, for this reason exactly.
Its understandable that a fast-growing startup in a new field, doing transaction-based work, will hit some bumps along the way. But they need to keep the community in the loop better. Twitter, blog, posting to threads like this (they know HN exists!)
Sorry, had to do it ;)