Hacker News new | past | comments | ask | show | jobs | submit login
Coinbase user emails and full names leaked (pastebin.com)
419 points by cbcbcb on Apr 1, 2014 | hide | past | web | favorite | 282 comments

I'm pissed. My email address is among those leaked. I got two transaction requests, the first for 732342.34425 BTC and the second for 999999.99999999 BTC. The second had registered a username of "⚠ URGENT: Сoinbase hacked. We" so that the email subject line read "⚠ URGENT: Сoinbase hacked. We sent you a payment request."

I got my coin out of Inputs.io just a few days before they got hacked, and I've got a low balance in Coinbase. I'm going to make that a zero balance, because I've completely lost faith in any company's ability to manage Bitcoin.

You've just become a target. Everyone now knows everyone on that list has Bitcoin and use web wallets, so it's effectively a list of potentially profitable targets for email account compromise.

Please ensure you're using random passwords on every site you use, select the best available security questions, use a password manager, and enable two factor authentication everywhere that allows it.

Also move all your coins in to offline wallets. No online web wallets have a bank grade reputation.

Hot/cold storage as coinbase is using is probably better than any encryption. Even an end of world bug means that they can only ever lose a small portion of all stored user funds. Manual processing of this means there is some sanity checking on large withdrawals too. Encryption affords you none of that, I would be happier with coinbase than storing on any other online wallet for this very reason.

> Even an end of world bug means that they can only ever lose a small portion of all stored user funds.

Were you born yesterday?

The steal-all-your-money rate of bitcoin businesses is running right around 100%, and you're going to lecture people that "they can only ever lose a small portion of all stored user funds"? Really?

Please don't make personally aggressive remarks like "Were you born yesterday?" on Hacker News. It only adds negativity, not information. That breaks our two most important principles: optimizing for signal/noise ratio, and being civil.

Coinbase isn't some random website made in a basement. It's a well funded, YC backed, known-founder company that complies with relevant banking law. There's absolutely nothing to suggest that they hold a partial reserve or have any ill intention whatsoever.

You're right, there isn't anything suggesting that they hold a partial reserve.

And there won't be even when they do.

And when they close due to massive theft / loss of coin, and take all of their users' funds with them, that will be the first suggestion that any user hears of.

It happened to me. It's not fearmongering, it's fact.

So ask them to prove their reserves if it bothers you so. Other large services have in the past.

Proving reserves doesn't help at all. They can die at any time from massive loss. Proof of reserve reveals whether there's a problem; it doesn't prevent any problem from happening.

To use a metaphor, a failed proof of reserve is like detecting that someone who's riding a motorcycle without a helmet has been launched into the air due to a car crash, and is about to hit the ground. That doesn't change the fact that they're not wearing a helmet in the first place. And in bitcoin's case, no such "helmet" exists. There is no protection for consumers against losing their funds by the exchange.

There's always going to be this massive risk of the coins disappearing due to any number of reasons: that they get hacked, that the founder steals them, that they lose them to some massive technical problem, that they experience another undocumented bitcoin protocol issue like malleability, that they lose access to their cold storage wallets, etc.

This has happened at, what, a dozen exchanges so far? They've all died due to one of the above reasons. Who's next? It's completely possible that Coinbase is next, and that you're recommending users throw their money away by trusting them. There's no reason to trust Coinbase. Keep your funds in your own secure cold storage wallet, and you'll have them forever. Keep them in Coinbase and you'll have them exactly as long as Coinbase lasts.

> Keep your funds in your own secure cold storage wallet, and you'll have them forever.

In regards to Coinbase, if only because their terms make it clear they aren't liable for a customer loss of any cause whatsoever.

YC-backed startup means a culture of 'move fast and break things' - works for facebook, but definately not something I would want to store my bitcoin on, since 'break things' means 'losing all my money with no recourse'

There's one reason to believe they have ill intention: their habit of ignoring serious user problems (lost deposits, security problems) until they're widely public.

Their actions make clear that they are enormously untrustworthy.

That doesn't really suggest malice so much as ill attention. From their posts it sounds like they are stretched a little thin under the load, if they wanted to steal they would just be gone not occasionally unresponsive.

It doesn't matter one bit if it's malice or inattention once your coins are gone.

MtGox was the biggest Bitcoin exchange with the largest trade volume. I still lost all my BTC when it went under.

Same. It seems like it can't happen until it happens, and then you face the reality that it happened. It sucks, and there's absolutely no protection for consumers from it. There's not even any insurance policy that exchanges can purchase yet, which is pretty much the only hope at this point.

Wouldn't that add a transactional cost to bitcoin, not unlike PayPal or Visa?

I've spent a couple months trying to come up with ways to protect bitcoin consumers, and the only thing I can think of is for exchanges to purchase some kind of high-risk insurance which will cover losses by the exchange. Nothing else will protect users, as far as I can tell, precisely because of bitcoin's irreversible transactions.

Honestly, the best thing for the bitcoin ecosystem is to learn from Paypal and Visa, and to emulate their good qualities. I know it's popular to hate on the existing ways of doing things, but the existing ways have a lot of hidden wisdom embedded in them.

Well, you could create a certification program in which member exchanges agree to a set of financial standards between each other - e.g. they would automatically do charge backs on disputes within the system.

This could lower the transactional-risk cost between doing business with certified exchanges, and still allow users to do business outside but with the increased transactional costs.

But then again you're just building another financial exchange system controlled by the certificate issuer - except it would need to be backed by some form of international enforcement (e.g. WTO?).

Where is the benefit to bitcoins then?

All of you guys seem not to be aware of the things you can do with Bitcoin. Eg: multi-signature wallets.

You won't need insurance when the coins simply can't be stolen.

I am aware of multisig, but multisig precludes realtime trading, which is usually the main point of an exchange.

It'd be a good idea for Coinbase to implement, though.

Some Googling only brings up names of exchanges that are working on multi signature wallets. Do you have a link to how to set it up on your own machine?

Sure: https://www.youtube.com/watch?v=zIbUSaZBJgU

But there are also some online wallets that already implemented it:



https://www.bitalo.com/ (this one is also at the same time something like localbitcoins.com)

Yes, of course. And since transactions are completely irreversible on Bitcoin the insurance rate would have to be higher than otherwise, as there's no collateral for the insurance company to claim when they do payout.

xapo.com is insured by Meridian group. There's also one in the UK that's insured Lloyd's that I'm drawing a blank on. Have you looked into either of them?

But how can outsiders confirm that they are really insured and not just bluffing?

This is the first I've heard that any insurance company is willing to fully insure any bitcoin exchange, and it's wonderful news. Thank you so much for pointing it out! I'll look into it and see whether it's as good as it sounds.

Thank you so much for pointing that out. It did seem too good to be true.

I'm not sure how much truth there is to that post since I haven't done any due diligence myself, I just remembered seeing it a while back.

From the top comment in that thread, it looks like the company with insurance underwritten by Lloyd's is Elliptic.

Which relevant banking law? AFAIK Coinbase is not a bank.

Just invest in a raspberry pi as an offline cold storage bitcoin machine. They're not expensive, and armory (or electrum) work fine on it. Make a paper backup and keep it in a safety deposit box if you have a large amount of bitcoins.

That's not convenient. Coinbase is convenient. You're suggesting a ride on lawnmower as a substitute to a car. As a spending wallet Coinbase is fairly close to ideal.

Please read my post carefully next time.

There's no reason to argue against an inexpensive solution like a Pi + Armory in comparison to the massively risky "trust a third party to hold all my coins" approach.

Perhaps you're arguing so vehemently in support of Coinbase because you're keeping all of your coins there? If so, I would suggest you move them to a secure cold storage wallet immediately.

Ah yes convenience, clearly the most important factor when choosing where to store your currency.

I keep my savings in cash under my mattress. Sure, banks are more secure, but they have annoying hours and having the money easily accessible is much more convenient.

Besides, I trust my mattress. It's a nice mattress made by a great VC backed mattress company. It's not like I'm putting my money under some mattress that I bought on craigslist.

If crypto ever wants to win over fiat among the "masses", then yes, it clearly is. Because most people don't care about scary-sounding fluff pieces about the "Fed's fractional reserve ponzi" etc.

Why would you assume any of that? Do you put blind faith in companies as a rule, or has something about coinbase particularly enchanted you?

To be clear, the attacker got your email from somewhere else and confirmed that it was on Coinbase. That's the "bug." It's like if you went to go make an account with a certain email on Facebook and found that it was taken. You would then know that the person with that email has an account on Facebook.

Regarding user names, they are optional and meant to be public.

I think the biggest problem here has been that Coinbase hasn't been responsive to messages sent to their whitehat@ address. That and the fact that users are being spammed by "researchers," which is a problem that falls back on them to mitigate.

They haven't been "hacked" though, and the only thing that has been "leaked" is public account names and account existence. The latter is almost impossible to avoid if you require unique emails for accounts (if I'm wrong about that please correct me).

That's just my naive two cents, so let me know where I'm missing the picture if that's the case! :)

Im sceptical of this. My email was not published anywhere with regards to bitcoin or coinbase, I receive relatively little spam, yet I received 4 of these messages.

The original disclosure never claimed that emails were leaked. They were found somewhere else: http://blog.shubh.am/full-disclosure-coinbase-security/#poc

Their official response confirms this: http://blog.coinbase.com/post/81407694500/update-on-coinbase...

You can only get so much for FREE, that's not Coinkite.com's model. We charge, but we answer email and fix issues.

But a quick read over your ToS defines bitcoins as having no value and not subject to law ("Bitcoins and Litecoins ("Coins") do not constitute a currency, an asset or a form of property at law or otherwise") and that you're not responsible if they mysteriously vanish ("Any purchase or sale of Coins, for money, virtual currency or other consideration, involves inherent risks and may lead to the complete loss of any value, virtual currency or other consideration, and you agree to wholly accept any and all such risk.")

Yes, but they'll answer e-mails when you ask why all of your bitcoins disappeared.

Does anyone know where or if the full list can be found? I have a Coinbase account but I don't see my name on the abbreviated list.

I suspect that the person who made this Pastebin just ran a huge list of known leaked emails, or dictionary based emails through the minor information leakage vulnerability discussed yesterday (https://hackerone.com/reports/5200). I would be willing to bet that this brief list is actually all he got back, and he is just lying when he says "Full list much bigger."

Since the vulnerability was reliant on knowing the email first, and since my email used on Coinbase is not a known email that I publicize I doubt he would have been able to discover my Coinbase account, nor the Coinbase accounts of anyone else who uses a sufficiently random and unknown email address when signing up.

Fred from Coinbase here.

There is no full list, and there is no leak. We're drafting a more formal response now.

Would you include in your response the reason why you're ignoring Homakov's security flaw reports, which were emailed to you at your whitehat@coinbase.com email address?


A lot of people are getting nervous that you're not taking security seriously at Coinbase. Ignoring whitehat reports would seem to be a serious issue.

Hi, Ryan here - We've moved over to hackerone.com/coinbase, and emailed everyone at the whitehat@ address about the transition. We'll be getting in touch for the details and will get an autoresponder up on whitehat@. We don't view missed reports as a good thing, we'll do better and have already made improvements.

They mentioned something about it on the thread that they were transitioning to a new system - plus the fact that nobody saw it as a vulnerability. I guess that's the reason

Apropos nothing else and without judging the actual report you're referring to: if you set up a "whitehat@yourdomain" or "security@yourdomain" alias, you need to be responsive. You can't ignore good-faith messages because you don't think they're valid. You have to act like all good-faith messages are urgent.

Those aliases are cheap insurance, but they aren't free: they'll cost you some tech support cycles.

They're actually downright expensive addresses to maintain, and they don't cost tech support cycles, they cost security engineer time.

A basic tech support person might be able to fend off the dozens of word salad "security notifications" sent by ESL students, but as they get more complicated and no less often irrelevant, you need people who actually know how your infrastructure works.

On top of the technical hassle comes the customer experience hassle of keeping a bunch of wanna be hackers happy as they demand rewards and their name on your site for their idea of a CRSF vulnerability that happens to have no basis in reality.

The backlash against these aliases is perceptible, but remember that the worst-case scenarios we're talking about today, when those addresses aren't properly staffed, was the default case before they became a common feature of startups.

Cheap, sure, but they'll cost you plenty in "lost face" when we journos write that you ignored inbound alerts from the person who later published something out of frustration.

Not just emails, either. See also event logging: https://www.schneier.com/blog/archives/2014/03/details_of_th...

Seriously, this. They are being nonchalant about this whole thing, but it may be damaging their most valuable asset - the community's trust in them. Just don't ignore repeated attempts to contact your whitehat address.

Not saying it was a good reason. Just that they did address the question.


According to the original researcher, he mailed them and got no response, and got no response at all from several other attempts at contact,.

I wouldn't be surprised one bit to find that the inbox for that address is full of spam and crackpots, but, like 'tptacek said, if you're going to have the list you had better dedicate resources to reading it.

Their official response did not give any reason for ignoring the reports, nor did it even acknowledge that this happened. Disappointing.

Then how am I on the list with an email I only use at coinbase? With my full email and name, and i'm getting spammed non-stop by this "non-important" security flaw in your system.. multiple times today and counting.

Fred, some advice: make your public notice more sympathetic than that post.

Didnt you run Iraqi ministry of information back in the day?

You are a fucking dick for ignoring that guy..just saying

"You’ll find that user enumeration is possible on Facebook, Google, Dropbox, and nearly every other major internet site."

I love this. Look these silly free social sites do it, so it must be ok. Anyone know if BofA or WellsFargo allow user enumeration?

> Anyone know if BofA or WellsFargo allow user enumeration

You're correct. They don't. Not even to authorities without a warrant. Which is the point I was trying to make in my earlier comment.[0]

[0] https://news.ycombinator.com/item?id=7510524

BofA and Wells Fargo suffer from account number enumeration.

Wells Fargo has 10-11 digit (depending on if it's WF or previously Wachovia) account numbers. One portion defines the bank branch where the account was opened, another portion defines the account type, and the last digit is a check digit. You can guess at an account number by attempting a deposit (in person or online).

There's also the fact that BofA and Wells Fargo have account numbers displayed in cleartext on pieces of paper that are handed to strangers.

I'm not arguing the merits of Coinbase's security, but traditional banks don't fare well either. Coinbase can improve. Traditional banks are limited by standards that they can't change.

I haven't personally seen the system, or tested it, but I'm pretty sure if I tried to enumerate all Bank Of America account numbers I'd get shut down pretty quick.

Two months ago I was able to enumerate all accounts from a local bank (Paraguay), they used document number and numeric passwords for login. They were showing different error messages when you tried to login with a nonexistent ID.

So I started generating random numbers between common document number ranges (1000000-4000000).

Our public health system has a web app that lets you check your enrollment status by entering an document #, and there are no CAPTCHAs! So the attack was like this: generate a random document number, send a request to the public health app and get the target's info (name, date of enrollment and other info). The most interesting thing was that I tried to login into all accounts by using the birth date of the target as a password (the bank's password policy: just numbers, a min. of 6 numbers...). Around 40% of the clients were vulnerable.

isn't this roughly the sort of thing that got weev thrown in jail?

Yes, probably. I have communicated the public health app problem (actually they just need to put a CAPTCHA) many times but it seems that nobody cares. About the bank, I was working as a data science consultant at that time, so it was easy for me to knock the door of the security department and tell them about my attack.

Your customers are upset and losing faith. Stop trying to defend yourself and take action.

I remember a story here a few months ago about a person who had deposited tens of thousands of dollars with Coinbase, and they refused to give the customer his coins. That was a clear sign that the systems and processes at Coinbase were broken.

The fact that they didn't help the customer until they took their grievances public indicated to me that either Coinbase don't care about their customers, or they were too busy trying to balance their books because of some proprietary trading gone wrong.

Thus I think it was foolish of Coinbase to release the letter condemning MtGox. Now anything that happens to Coinbase makes them look like total hypocrites. People, glass houses, stones etc.

It's one thing for a magic card trading company to morph into a Bitcoin exchange and have problems... but for a hot-shot start-up in San Francisco with self-proclaimed tech superstars at the helm and millions in the bank to screw up royally, well, it's just embarrassing.

UPDATE: For anybody following Bitcoin news, this is obviously satire, replacing MtGox with CoinBase. Surprised people downvoted this.

There are rumors that a joint statement will be released at 5PM Pacific Time...

Joint Statement Regarding CoinBase

Apr 1st, 2014

The purpose of this document is to summarize a joint statement to the Bitcoin community regarding CoinBase.

This tragic violation of the trust of users of CoinBase was the result of one company’s actions and does not reflect the resilience or value of bitcoin and the digital currency industry. There are hundreds of trustworthy and responsible companies involved in bitcoin. These companies will continue to build the future of money by making bitcoin more secure and easy to use for consumers and merchants. As with any new industry, there are certain bad actors that need to be weeded out, and that is what we are seeing today. CoinBase has confirmed its issues in private discussions with other members of the bitcoin community

We are confident, however, that strong Bitcoin companies, led by highly competent teams and backed by credible investors, will continue to thrive, and to fulfill the promise that bitcoin offers as the future of payment in the Internet age.

In order to re-establish the trust squandered by the failings of CoinBase, responsible bitcoin exchanges are working together and are committed to the future of bitcoin and the security of all customer funds. As part of the effort to re-assure customers, the following services will be coordinating efforts over the coming days to publicly reassure customers and the general public that all funds continue to be held in a safe and secure manner: Kraken, BitStamp, Circle, and BTC China.

We strongly believe in transparent, thoughtful, and comprehensive consumer protection measures. We pledge to lead the way.

Bitcoin operators, whether they be exchanges, wallet services or payment providers, play a critical custodial role over the bitcoin they hold as assets for their customers. Acting as a custodian should require a high-bar, including appropriate security safeguards that are independently audited and tested on a regular basis, adequate balance sheets and reserves as commercial entities, transparent and accountable customer disclosures, and clear policies to not use customer assets for proprietary trading or for margin loans in leveraged trading.

The following industry leaders stand by this statement:

Jesse Powell — CEO of Kraken

Nejc Kodrič — CEO of Bitstamp.net

Bobby Lee — CEO of BTC China

Nicolas Cary — CEO of Blockchain.info

Jeremy Allaire — CEO of Circle

p.s. Yes, this is the MtGox letter... who will be the last man standing? :-)

The possibility of this being misinterpreted as valid is rather high. I think your point could have been made well with a single explaining sentence up front and without the name substitution in the actual content.

These guys stuck the knife into MtGox... when they themselves are no better.

Check the forums over at BitcoinTalk, for months now, people using Kraken have been unable to withdraw their money, and deposits have been going 'missing'. The fact that support is conducted over a public forum, out of sheer desperation on the customers part, tells you something.

If CoinBase did go down, would you bet against the other providers crafting a public relations message to drum up business for themselves? It's dog eat dog out there - the idea that there is a community of Bitcoin businesses looking out for each other is a joke.

What does that have to do with what I said? I think the manner in which you made your point has too high a chance of being misinterpreted to be acceptable here, which is probably why it was being downvoted.

I get your point, yet somebody misinterpreting a joke should have no impact on the company...

Unless the company actually had inadequate reserves to meet customer withdrawals, thus leaving the solvency of the company at risk of a good old-fashioned fractional reserve style bank-run...

Oh, I could care less about the company, but I do care about the integrity of HN as a whole. That doesn't mean I don't like the occasional joke on here either, but since that story seemed a bit light on details and people were looking for information, posting satire that looks very much like valid information can be unintentionally misleading.

There is no full list. The "exploit" doesn't give you email addresses you don't already have. This is why it was not considered a vulnerability.

Since Coinbase is a financial-esque firm that deals with and stores peoples money/BTC it is not at all alright for this to be treated as public information, even if someone already had the email address.

I know CB is not a financial company and they are not obligated to provide the same protections to consumers/customers.

Phishing is not the only reason why a customer would not like their bank to confirm that they have an account.

As a matter of fact in this situation, when someone sends a fund request, CB should never let the requesting party know the name of the account holder, unless the account holder explicitly gives them permission, maybe not even then.

With any other organization law enforcement would require a warrant to get basic confirmation if a customer has an account and the name on the account.

I work on dating sites, some of them a bit risqué.

On the password reset form, there's a big difference between saying "That email does not exist in our system"/"Emailed password reset instructions" vs "If that account is registered, we will email you instructions".

How do you handle users attempting to register a new account with an email address that already exists?

If you say, "we don't allow two accounts with the same email address", you have the same issue as coinbase.

For the case of people attempting to sign up a second time with the same email address, don't change anything shown from the webpage. Instead of sending a verification email, send an email informing them that someone is trying to sign up again with the same email address, and include an expiring password reset link in that email. If you see too many users forgetting that they've already signed up, and getting frustrated by filling out too much data in forms before finding out they've already signed up, then consider moving the email verification step earlier in the signup process.

So you'll allow a user to go all the way through the process of registration, create a new password, get temporary access to your site... and then what... not save that password? So a re-login attempt won't work?

I can't see how you can avoid making the experience for the duplicate user exactly the same as a new user.

> ... get temporary access to your site...

> I can't see how you can avoid making the experience for the duplicate user exactly the same as a new user.

The workflow diverges at the email verification step, before you grant any access to the site. Existing users get an email informing them that someone has tried to sign up a second time using their email address while new users get the standard email verification email.

I highly recommend not allowing account creation before email address verification. I have a difficult to spell last name, so I have one email address that contains my initials and a common word instead of my last name. You'd be surprised the number of people who don't know their own email address and the number of sites that allow people to sign up (and apparently transact significantly) without verifying email addresses. Off the top of my head, if I wanted to, I could steal one person's tax accounting account (I got confirmation that they filed their state taxes this year, and later confirmation their state accepted their filing), another person's car rental account, and a third person's business's trash service account. From time to time the one person tries to reset their car rental account password. I imagine I could reset the passwords for all of these accounts (and others) and get the last 4 digits of their credit card numbers and other personal information and use that as a starting point for gaining access to other accounts they own. In the case of the tax account, I could probably re-download the tax paperwork and get their SSN. Neither the tax accounting company nor the car rental agency replied when I informed them that accounts were set up with the wrong email addresses. (I also get business quotes from time to time. Hopefully some day I'll get email from a business or person who knows the person who keeps trying to reset their car rental account.)

If you have enough users who forget they already have an account and your signup process makes them get too far before verifying their email address, consider moving email verification earlier in your workflow.

Do you setup a timed sleep to make sure that you return results in exactly the same time regardless of path taken?

For the record, the right way to do this is to just log the request to your database, and have a background process pull the log and take appropriate action later.

Not sure if sarcasm..

This is a real attack vector. It's called a timing attack: http://en.wikipedia.org/wiki/Timing_attack

I am familiar with timing attacks. The thought of someone attempting to apply it over the internet to verify whether an email is registered on a dating site seems laughable.

Applying it over the Internet is quite feasible, especially with simple code. If it connects to a remote SMTP server, the delay may very well be noticeable enough without doing any complicated timing. It might be just about as easy as scraping the page for "user not found" versus "email sent".

I assume that was the original point - that on risque dating sites, the recover password system tries to hide membership.

It gives the full name associated with an email address. A more dramatic but analogous situation would be if an attacker were able to attain password info or credit card info associated with an email address.

Just because email address is known does not imply that other personal information should be given away.

Does it leak the fact that you have a coinbase account? That seems private as well.

If someone has your email address it is impossible for coinbase or any service to stop that person from checking if you have an account. All they have to do it try registering a new account with your address and see if it lets them (as most services don't allow multiple accounts to use the same email address).

It doesn't need to be impossible. The problem could be designed away: on form submission send an email saying 'looks like you already have an account' or 'welcome... next steps' and just show a 'check your email' message in the browser.

That sounds innocuous. But it's easy for, say, mobile badware to harvest contact lists. By targeting non-anonymous bitcoin holders as a "seed" list and using exposed contact lists like LinkedIn contacts, you can ratchet your way up into disclosing a lot of people who would prefer not to be known, lest the become phishing targets.

Doesn't seem innocuous. Maybe coinbase ought to be making pseudonymity more easily accessible.

It does confirm email addresses you can guess though (which are not necessarily email addresses you have, until they're confirmed), along with leaking other information about that user.

What other information is it leaking?

From what I gather, first name and last name.

Stopping email address validation is, I think, impossible for a company like Coinbase, but revealing the name doesn't have to happen.

On the other hand, providing the first and last name could be very valuable to the users, though. If I send coins to bob@example.com, I'd like to see the real name behind that address.

On the other other hand, if anyone can make any first and last name they wish, then the safety of that goes away. Maybe I make b0b@example.com with the same real name.

EDIT The users agreed to have their names given to people they transact with. Does that include strangers attempting to transact with them? I'm thinking "no" but can see the other side.

If you want a service that allows the sender to verify name before sending, make it a feature that both:

(1) is opt-in on the recipient's side and fails with something like "that recipient email address doesn't have an account, the name doesn't match, or they haven't decided to allow name verification"


(2) is only available on payments above your highest guess at the expected value of matching an account-email-name triple for spearphishing, and the error messages (and timings) are identical if the name doesn't match or the given email address doesn't have an account.

I imagine there are few profitable attacks where an answer "yes, email_address with name has a Coinbase account" costs a minimum of 100 USD to an attacker and getting an answer "Either email_address doesn't have an account, that name doesn't match our records, or they've chosen not to share their name" costs 0 USD. However, I'd have to think a bit more about that 100 USD minimum.

What danielweber said, the listed real name with Coinbase. I'm not so sold that it's a Big Deal™, but it's certainly not completely leakproof with regard to user data either.

I think you meant to say :

"This is the bullshit excuse they are trying to use to make it SEEM like its not a vulnerability."

Coinbase is deliberately misleading their users regarding privacy if they do not fix this issue!

For what it's worth, I have a coinbase account linked to a gmail address in the form firstname.lastname, where both are common names. I'd expect it to be in a dictionary based list, and it's not on the pastebin.

I just noticed that the hackerone report curl bit includes a coinbase session cookie. Doesn't seem like a good thing to include.

At this point I would not trust Coinbase, their engineering department shows that they have very little clue when it comes to building a secure infrastructure.

Not only they are not rate limiting and leaking names, their implementations are simply laughable.

With a proper design, customer should have been allowed to either enable/disable that end-point when somebody is searching for their email, or there should have been an option to have a 'whitelist' a set of users/user that are able to look up that information and make a transaction request.

On top of that, they should have been able to detect a pattern such as this attack and pro-actively block it.

This would pass for a to-do app API but Coinbase? Wow.

I haven't really lost my trust in Coinbase due to this issue but I do find it annoying the way they are handling it so far.

Almost any site that has a password reset can be used to verify whether an email account exists in that system - depending if the system tells you "no user with that username exists" or not. Coinbase is in no way unique with the amount of info they expose, which is the point they were trying to make on their "official" response.

I would have liked to see them announce that the API does have some sort of throttle and maybe they are going to think of ways to enable an option for this behavior or something - basically anything except to just dismiss it. Because even though I personally agree with them as far as the level of vulnerability - a lot of people don't and Coinbase doesn't seem to understand this perception problem.

It is certainly possible to allow for password resets and account creation as well without revealing whether an account exists.

Password reset:

1. User enters email in password reset form.

2. Website shows the same message whether the password was reset or not.

3. Email is what differs. If the account exists, send a password reset link. If it does not, send an email asking them if they want to create an account (and offer an unsubscribe link so people can't spam signup emails).


1. User enters email in signup form.

2. Website states it is sending an email to verify the account.

3. If it already exists, send a message saying they already have an account. If not, send the normal email verification link and then they can complete filling in their account details.

This prevent someone without access to the email from finding that the account exists, and also keeps the owner of the email filled in if they just forgot which email they used for the account or that they already had an account.

I agree 100% this is the right way to do it. And it's really not any more difficult to implement.

The problem is the convenience tradeoff. Take a site that has an instant green/red indicator that a username is already taken. People love the instant feedback, but it creates an attack vector. If you had to wait around for an email to see if you had already signed up - I bet a "Show HN" would have people here telling you that your site was user hostile! Even though it is unquestionably more secure.

I do think what Coinbase is doing now is not out of line with standard practices. But for a financial site they might be wise to start erring in the direction of security at the expense of a little convenience.

Yes, this is the right workflow, but, you'll be surprised how very few services implement this properly! Another thing that most services don't implement is providing geolocation and other pieces of info in password reset emails and the ability to report that you didn't request that with some basic flagging (even as simple as flagging that session), which would prevent that guy of keep resetting it. The ability to add login email notification is also priceless.

I see your point, but keep in mind that Coinbase deals with money.

I don't think many banks (if any) will let you do a password reset based on your email address, they would use your credit card/account number as identifier of some sort not tied in to their authentication system or system that can be hacked (ie: email).

Them comparing a financial service API that deals with money to Google+ or Facebook should tell you as much.

I assume someone took a huge list of emails and ran them through the Coinbase API as described in https://hackerone.com/reports/5200 and retrieved their full names, and is now scaremongering. I do not think they are enumerating users from the coinbase database, but who knows.

edit: The recent adobe email list comes to mind.

You're right. As a Coinbase customer, neither my name or Coinbase-only email address was in this list.

What you describe is exactly the exploit that was disclosed and exactly what the person exploiting it seems to have done based on the content of the list. Of course, Coinbase argues that this is a feature and not a bug.

> neither my name or Coinbase-only email address was in this list

That doesn't really mean anything, since it clearly says at the top:

"Here is a partial list of Coinbase user emails and their full names. Full list much bigger."

Which could be bullshit and scaremongering. But it certainly could be true that they have a large number of Coinbase user's emails.

>Which could be bullshit and scaremongering.

It could also be that you are reading too much into it.

>"Here is a partial list of Coinbase user emails and their full names. Full list much bigger."

Where does it say in that sentence that he the OP has access to the "full list"? It doesn't say that. It implies it, which you picked right up on. But he doesn't explicitly say, "Here is a partial list of the full list in my possession".

The author already claims that this is only a partial list and that he didn't disclose everything he has access to.

That was my first thought. This feels off, I doubt Coinbase database was hacked and this is just using their API flaw and some previously leaked email database.

Why the fuck would someone keep cash in a central repository if the whole purpose of bitcoin is to be de-centralized? It's like, hey, I have a car so I can get around town any time I want, so let me park it with a bunch of other cars in a dark open lot 2 miles from my house. Sure, I have to take a short bus ride to get to it, and it could be stolen or broken into at any time, but that's the price I pay for convenience, versus just keeping it in my garage where it's much more inconvenient for anyone to steal or damage it. (?????)

A website is not a bank. There are no armed guards or vaults and there is no federal insurance for your bitcoin. You're basically all handing your money to some guy who keeps all the coin on the second floor of a corporate office with a single old dude standing guard at the elevator. It's totes hard to get past that guy, because like, he has a badge and a hat and everything.

In my case, because Coinbase provides a simple, trusted way to sell Bitcoin and deposit the money into my bank account.

I'm not buying Bitcoin because it's decentralized. I'm buying it because there is a market bubble, and I can profit from currency speculation.

Perhaps some of these individuals are using coinbase as a way to purchase bitcoins before they move them to their private wallets.

Isn't this a bit of a mischaracterization?

Coinbase is more like an AC'd storage facility with locks on the doors and people on staff checking IDs than an a "dark open lot 2 miles from my house". Yeah, its not Fort Knox, or even a basic bank vault, but if I think I'm much more likely to lose a thumb drive or have my computer stolen than suffer a catastrophic problem with a storage facility owned by reputable people, how does it not make sense?

That said, I'd probably be thinking about this a lot harder if I had any serious money put away in bitcoin. A storage facility is not an appropriate place to store 5 tons of gold.

>Why the fuck would someone keep cash in a central repository if the whole purpose of bitcoin is to be de-centralized?

Decentralization means the freedom to partially centralize.

>There are no armed guards or vaults and there is no federal insurance for your bitcoin.

You can pay for private insurance, which can cover more money than federal insurances (albeit it's not free). Just like it should be.

> Coinbase provides your full transaction history to the FBI, FinCEN and IRS every day. They are under a gag order.

That is interesting accusation. Even if this is true, we will unlikely have evidence. Is there a serious risk to Coinbase users granted Gov is having full access?

This is highly likely to be true, and even if it's not, everyone should operate as if it's true. With the meteoric rise in price appreciation, I can't imagine the IRS at some point not requiring that the largest companies directly report users' income or capital gains to them. So don't be tempted to under-report your bitcoin gains. Similarly, the FBI and other money regulators have clearly shown their strong interest in stopping illegal activities conducted with Bitcoin, so I can't imagine them not receiving information from the largest companies and exchanges.

The allegation of a gag order is a bit odd, however. This should all be fairly obvious, so I'm not sure why anyone would want to keep it secret. Counting on the hubris and naivety of criminals, I guess?

What form would the IRS require it to be filed as? I don't know of any industry/company that is required to file a monthly/daily 1099 for customers. Even the banks are only required to file that stuff yearly via a Schedule D.

Oops, you are right, I totally read that too fast and didn't catch the allegation of "full" transaction history being provided "daily" for all users. That seems like way more detail than the IRS or FinCEN needs...even the FBI is likely more targeted than that.

Also, I should note I am no expert on this topic, I just think people would be very foolish to cheat on their taxes or commit financial crimes via Coinbase or any very large exchange. One should assume government prosecutors or tax collectors can and do access it just as easily as with the regular banking infrastructure (to whatever extent that is), even if they don't actually do so yet.

If they had evidence of that, why wouldn't they have pasted it as well? I'm assuming it's baseless speculation.

Btw, has anyone actually confirmed any of these emails / names are real? I have a coinbase account and am not mentioned in the leak.

Wouldn't any evidence supporting the existence of the gag order be a violation of the gag order?

Yes. I read something about a library that had a sign up, "No government agents have been here." They would take down the sign during an investigation. Any one who knew the sign -was- there knew an investigation was underway. No gag order was broken. There is a name for this type of flag, but don't know it off hand.

Presumably the person dumping names and emails (PII/PID) on pastebin has little regard for gag orders. (And no motivation not to reveal such an order, if proof were readily available.)

Because it's not a secret. That is (a heavily dramatized version of) the standard regulations that apply to every licensed money transmitting service.

I can confirm at least one name and address on it is real.

It's hard to believe that it's not the case. I mean - why wouldn't the DOJ take an interest?

The link has no mention of the "bug was dismissed" as stated in the HN title. Support for this? Or is it the same bug as https://news.ycombinator.com/item?id=7504353 ?

Also, what is the evidence for the assertion that transaction logs are delivered daily? Given recent revelations, it's probably a reasonable assumption, but there's still no actual evidence given.

Here is the bug closed as "Won't fix" (so yes, it is the same exploit/bug):


Apparent Coinbase response there: "This stance is not unusual on the web: you'll find that user enumeration is possible on Facebook, Google, and nearly every other major internet site"

Um, no. If that is what Coinbase believes, I just lost respect for their claims of security.

FWIW, https://plus.google.com/people/find

You can find people's G+ profile if you guess the email correctly. I wouldn't be surprised if LinkedIn,Facebook,etc. had the same type of thing. I do think that coinbase-API should be rate-limited or unreplayable, but I'm _much more_ interested in where the email-list input data came from. My email wasn't in this alleged partial list, but if it was I'd like to know where they got my email from to begin with because the source of that email-list is the real problem IMHO.

I will say this though: Coinbase, please make sure there is absolutely no api call that returns banking/CC info!

You can just type emails into the gmail account creation form to get results back on if the username was taken.

This whole debacle is making a mountain out of a molehill.

Do it enough, and you get a CAPTCHA, do it more, and you get banned by IP. I would assume that the limits are set to a point that it's very difficult to enumerate the database in any reasonable timespan.

In an not-yet-authenticated state your code should do everything it can not to tell a potential hacker something they do not already know. Being able to check if an account exists and being able to read of the full name associated with it are not the worst problems in the world (though knowing the full name could make fishing attacks slightly less unconvincing) but if you take the attitude of never telling an attacker anything no matter how innocuous you think the information is then you are less likely to accidentally let something sensitive slip due to a bug.

SMTP's the API for checking if an address exists at any mail provider. Start sending a mail, if the server doesn't tell you there's no such mailbox right then, you can abandon the connection without sending a message through. No CAPTCHAs there either.

Many mail servers delay account checking for that very reason.

They take in all mail - instead of telling the sending MTA that the account doesn't exist the message is accepted and sent to /dev/null. A bounce message may be generated but the automated MTA won't see that as the message will be carrying invalid mail sender information.

Many mail relays, especially spam appliances like Barracuda, will always give an 250 OK to the email address provided to prevent exactly this trick. They then toss as spam or bounce once they get the message.

Would you care explaining why it is that you believe email enumeration to be "insecure"?

The data obtained is an email address and a name (only if the user filled in the "name" field). This may as well be treated as public information.

It also discloses whether someone is a customer or not. Possibly en masse. Problems:

1) Aids phishing attacks against Coinbase and customers

2) Oftentimes harmless tidbits of information can be combined to form non-harmless information. In this case, disclosing email, name, and the fact of being a Coinbase customer, or not, seems minor on its own. However, combine it with some other dataset (let's say emails/passwords taken from an unrelated site), and now it would be easier to break into accounts without setting off warning bells, since you already know who is a user or not.

Dismissing the information disclosure strikes me as akin to the "it's only harmless metadata" argument of the NSA. As we have already seen in many reports, "metadata" can be surprisingly powerful.

I would argue that using a personal email and filling in your full name on coinbase, who CLEARLY state you have no expectation of privacy in this regard, is effectively the same as publicizing the information.

If one cares about the privacy aspect, then don't use an email that is tied back to you in any way, and certainly don't fill in your personal information.

Or, and this is much easier, use a web site that actually cares about its users' privacy?

If CoinBase is so needlessly sloppy then it's not hard to picture a Mt Goxish scenario in its future.

While I don't find Coinbase's response here reassuring, if you work with a business whose bizmodel is "people can send money to your email address" then it becomes essentially impossible to stop someone from verifying that your address exists.

2 things:

First, the vast majority of attackers are more "smash and grab" than "stealthy jewel theft." They really don't care about leaving tracks, they are going for volume. Want to phish people for coinbase creds? Email a mass of people. Have a list of usernames/password from a data breach? Attackers have automated tools that will automatically try them against thousands of websites. It's more expensive and time consuming for them to try and leverage minor info disclosures to narrow down their attack than to simply brute the crap out of everything. The economies of scale devalue the info discloure.

Second, you are making an apples-to-oranges comparison. The boolean "Is/Is not a Coinbase user" provides a single data point, and is far less valuable than a hundreds if not thousands of datapoints about who is communicating with whom, and for how long. The single piece of meta-datUM of Coinbase pales in comparison to the meta-datA of phone logs.

The second point is a bit of a straw-man. I never meant to imply that this Coinbase disclosure and the NSA metadata are proportional in terms of severity; just that they are structurally similar. The point is that small bits of information can become surprisingly big with the right analysis and effort.

That first point strikes me as irrelevant here. Smash and grab is what you do when your probability of success and/or your take size is small.

But if you know somebody has a lot of money, then the rational amount of effort to apply goes way up. That's why stealthy jewel thieves are stealthy.

Since the whole point of Coinbase is to contain money that, from other BTC sites, appears to be easily stolen and easily laundered, I think a set of known Coinbase accounts could well be worth the effort.

Do you publish that you have a Coinbase account? That's the issue. Now these people are valuable targets for spear phishing and other attacks on their e-mail accounts because it's known that they have hot access to at least some amount of Bitcoin. Without that information, an attacker is shooting blind.

So, this sort of leak or enumeration basically reduces the (though tenuous) degree of security afforded by one's privacy.


Some people certainly do: https://twitter.com/search?q=just%20bought%20coinbase&src=ty...

I agree it's not ideal, but if your security relied on a guessable email address staying private, you're already not in a good place.

Because "well someone else does it" has always been the best reason to behave a certain way...

No, and indeed I don't publish whether or not I have a coinbase account. But it isn't a serious security failure if that somehow got out.

Except for the non-zero possibility it could make the difference between you being murdered during a home invasion, or not.

Last time a politician was worried about non-zero probabilities, the U.S. invaded Iraq. I mean, if changing the probability someone's home gets broken into is our standard of practice nowadays there's a lot of companies which will have to close down today.

I reckon non-anonymous bitcoin holders are at greater risk than the average person with money in the bank, since draining the account of the former is a relative cinch once the keys are divulged. The whole crime could be completed within a few minutes.

That much may be true, but I'd consider that an inherent risk associated with using Bitcoin without using a pseudonym. Maybe I'm naïve but I have to assume people who care about such things are already tracking IP addresses directly from the Bitcoin network swarm itself for later investigation...

Likely Coinbase customers expected Coinbase to keep their real name secure from potential thieves. But they thought wrongly.


Bonus points: That screenshot also tells you I have an account with Patelco Credit Union.

You trust Patelco CU and Coinbase employees a lot... Watch out, it might backfire...

If an employee of either company steals from me, I'd expect them to be easily caught. If Coinbase decides to steal 1k from everyone then shutdown that would be crazy since the people behind Coinbase are very well known and in SF; I accepted that risk when I signed up. If someone inside Patelco decides to steal from me, that's a heavly regulated financial establishment - I don't think that person could get away with it or that Patelco wouldn't reimburse me.

If someone who is not an employee of either company manages to steal funds from me just based on that screenshot then there is some other security-issue somewhere else and it was bound to happen sooner or later.

Probably something like this[1], which I don't really see how you'd protect yourself against. Like getting hit by a car running a red-light.

1. http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking

I wasn't saying they would steal from you. I was referring you trusting their competence to do their job right and not be social-engineered by some hacker into giving them access to your accounts. Thank you for the downvote.

The name is an optional field, so no one is being forced here. If you don't fill out your name, this oh-so-clever "hack" doesn't work.

Weev is doing 41 months in Federal prison for the exact same type of "public information".


Please discuss which attack vectors you are worried about for this user enumeration issue affecting a public website.

Here is the reporter finally resorting to full disclosure after having tried repeatedly to reach out to Coinbase without getting any response at all: http://blog.shubh.am/full-disclosure-coinbase-security/

This is not a "leak". All of these email addresses were already in the wild. The "attacker" simply tested if Coinbase accounts matched these emails.

Think about it. Email enumeration is possible if accounts associated with an email address. Otherwise forgot password forms would simply say successful even if someone typo'd their address (terrible UI) or the signup forms would allow multiple accounts with the same email address.

Actually, many password forget forms do not provide any information about whether the email was recognized or not. More than once I've seen a message along the lines if "If the email entered was associated with an account, a password reset has been sent.".

EDIT: On the other hand even if the response is always the same, I expect most implementations to be vulnerable to a timing attack ;)

How would they be vulnerable to a timing attack?

Sending an email takes more time than not sending an email.

I think I see your point; clever. The site could show the message and only then send the mail asynchronously. I guess that's why you said most implementations.

Queuing up an async message still takes time. As does reading a row from a database and materializing an object. So "most" is really probably nearly all unless they take explicit steps to make sure the same amount of work is performed in either case.

Yes, or sleep to elapse a time that's longer than needed to queue up the async message, say half a second, before returning the message to the browser.

While that could be true, this list also includes the names; which would not be possible from what you're describing.

If you put in an active email, it sends back the name through the API. Similar to the way that snapchat API bug sent back a username with a phone number as input.

This feels... weird. There was a problem with Coinbase months ago that was patched where some of this information could be found if someone was using Coinbase's merchant tools.

A list of emails and names feels a lot like trying to cause a panic to get people to dump Coinbase.

I contacted Coinbase and received this response:

Erik: Our engineers are aware of this development and concluded that the released information was not acquired through a security breach in our systems. Instead, the poster was already in possession of your email address and used our "Request Money" functionality to obtain the name given to our system on the Settings page of your account (https://coinbase.com/settings). Although this is an intended feature, we understand that some users may wish to not disclose information to third-parties that are able to obtain their email addresses. As such, we are working on improvements that will give users an option to hide their name from other users.

And this is why in addition to per site passwords, I also use per site email addresses.

I like to be able to track who spams me and in case of leaks I like the ability to disable an email address...

how do you keep track of all the emails?

and did you always do this or did you start at one point having to go back through a lot of old accounts to change emails and passwords?

I have a catch-all setup at my domain that forwards to my main account. I can then setup a filter to disable an address if it starts getting spammed or is compromised.

If you use gmail, you can use youremail+anything@gmail.com, and it will all get forwarded to youremail@gmail.com. This is incredibly handy for noticing who is sending you spam.

I'll also use it for sites that I know are going to send me spam, and then immediately create a filter than deletes emails sent to joe+annoyingsite@gmail.com (note: that's not my real email)

In general spammers deal with those things pretty quickly. They can just quickly add a regex to remove everything starting with the "+" and then you don't have any unique identifier any more.

That does nothing to increase the security of your accounts, since effectively the email address is the same.

It keeps phishing attacks from being able to cross services (since if you get a citibank email to your coinbase email that would be a big flag) and it reduces the attack surface on other sites.

I use email.site@domain.com for this purpose and it makes it handy to see who has somehow lost/disclosed my email to third parties and not informed me (FreshDirect for example)

> It keeps phishing attacks from being able to cross services (since if you get a citibank email to your coinbase email that would be a big flag) and it reduces the attack surface on other sites.

Or, more importantly, it lets you authenticate the sender in some way. Citibank has to send you email to you.citibankiscool1253stuffonlyIknow@example.net and it is unlikely for a spammer to guess that exact wording (without also trying hundreds of others, which would give it away by filling your inbox).

email.site@domain.com is at least a distinct email address, unlike using +. Especially if you use different passwords for each account, it means if one of the emails is compromised then the attacker can't use it to recover passwords of your other sites.

+ can be a distinct email address, just as . can be an alias. It really depends on how your email server is configured. Postfix makes it really easy to adjust what character you use.

I'm kind of surprised that this still works. I would guess that diligent spammers will soon catch on and start stripping anything that comes after the + sign.

That won't help here, your real Gmail address is exposed which lets everyone know that you have BTC on web wallets.

Actually it would help you here. In this case your real address isn't exposed unless someone guessed the exact version you used to sign up.

What do you mean? If joeblow+coinbase@gmail.com is in the leaked list you know that that joeblow@gmail.com is the "real" user and also is someone who has BTC.

There was no leak. The API allowed you to see whether a given email had an account associated, so someone churned through a big list of known email addresses to find accounts.

If you do a filter like this: All mail that arrives to john.s.m.i.t.h@gmail.com is important. Everything else is spam. Of course you might not get emails from people who sends emails to john.smith@gmail.com nor johnsmith@gmail.com because the emails go to spam.

Does this actually prevent true spammers, or only emails you consider spam, but the sender thinks is worthwhile?

Otherwise, as a 'true' spammer, why wouldn't you just always strip off everything after the plus when adding the email to your distribution list?

Depends on how smart the spammer is, and how much they care. Most spammers a) are not very bright, and b) are in a volume business. Even the ones smart enough to do this may not think it worth the time to possibly improve a tiny percentage of harvested addresses. Especially since those of us who are dedicated enough to maintain tagged addresses are unlikely to respond positively to spam no matter what address we receive it on.

I use _, not "+" and anybody else might use "." or "-" depending on the configuration of their mail server. Sure, you can always add the full email and every possible stripped email to your lists, but in practice, few people seem to do that (judging by the amount of spam I get to me_randomstuff@example.net as compared to me@example.net).

I use "-" with an alias to "_". It turns out that when you give an email address to random people, they sometimes don't know the difference between "dash" or "hyphen" and an underscore.

I've found that when signing up for things, a lot sites don't allow the "+" in the email. They'll throw a email validation error. But at one point this was a good technique, I just think many sites have either don't allow it or can easily get around it

You can always use a service such as spamgourmet to "protect" your main email and be able to disable email addresses at any time. All the emails you get from the disposable email addresses just go to your main email address. Also the email address each email goes through is repeated in the subject line, so it's easy to keep track of things. (you can also get a list of all your disposable email addresses from their website)

I track all the emails with 1password (same as for the passwords).

I started doing this four years ago but before that I had an email address that I reserved only for signing up for most websites (to prevent spam leaking into my personal email address).

My mail is hosted on servers running Postfix that I control, so this won't work for everybody.

In main.cf:

  virtual_alias_maps = hash:/etc/postfix/db/virtual_aliases
This file is in the same standard aliases(5) file format:

  zzz-foo@example.com          my@real-account.com
I started doing this when I moved all of my mail off of Google. It has the advantage (over you+foo@gmail.com) that it doesn't reveal my real mailbox. It does very quickly reveal who shares/sells my e-mail address, though. When that happens, it's simply a matter of deleting the alias from the file.

If you’re using Gmail you can use address aliases, like me+site@domain.com. Unfortunately some websites will not validate that type of email address.

I've used sneakemail for a number of years. With their paid account ($12/yr, I think), it lets you create emails on the fly with a specific pattern.

For example:


That gets forwarded to your actual email address, and you can see how it was tagged. If needed, you can whitelist/blacklist specific senders from specific tags as well.

Never heard of them before. Do they have any benefit over Spam Gourmet? (which I use occasionally, and is free)

I've never heard of Spam Gourmet. I've been using Sneakemail for the past 10-15 years. Since it's so cheap, and it's worked well enough, I just haven't bothered looking at anything else.

With any standards compliant email server you can use "+whatever" in the username and the email should get to you: username+whatever@example.com.

"+" is valid in the left-hand side portion and Postfix uses it (by default) as the separator to provide this feature but other mail systems (Qmail and, IIRC, Courier) use "-".

That functionality is not an RFC requirement, however.

I believe that totally depends on the mail server. If there is an actual standard for that, please do point me to it.

Microsoft email ( outlook.com ) offers email aliases which are pretty good for this purpose .


Relatedly: DO NOT CHEAT ON YOUR TAXES. If you have any BTC profits and do not report them to the IRS this month, they are reasonably likely to catch you and make an example of you.

YOU ARE WRONG. The IRS is .1% in the business of audits and 99.9% in the business of scaring people about the possibility of an audit. Like you just did.

I'm being audited right now (over a $2,500 student loan interest deduction, of all things) and it's totally automated. It seems like they have an internal process that goes "Taxpayer claimed deduction, IRS doesn't have paperwork matching payment activity, ergo send letter asking taxpayer to pony up".

If Coinbase is going to report earnings to the IRS, it's a good idea to match what they report or you might trigger the algorithm.

What you are describing is not an audit. The automated system is a separate process. An audit involves an actual IRS agent manually reviewing your entire tax history for the given year.

At least at the state level (MA), the automated system is considered an audit. I recently received notice that an "audit" (their word) of my state tax return detected a discrepancy with my federal return. When I called, I was told that it was caught automatically.

So I think the manual and automatic processes are considered to be two forms of the broader term "audit".

The IRS does not work for the state of Massachusetts.

We know this. I was explaining to you what the word means by example.

Read this:


"An audit may be conducted by mail or through an in-person interview and review of the taxpayer's records."

"You will be provided with a written request for specific documents needed."

"An IRS audit is a review/examination of an organization's or individual's accounts and financial information to ensure information is being reported correctly, according to the tax laws, to verify the amount of tax reported is accurate."

Consquently by my interpretation (and actual experience over many years) your last sentence is not correct.

Could we just say that it's not what people usually think of when they say "IRS audit"? Getting a letter in the mail asking for some paperwork isn't really scary.

I'd imagine a letter in the mail asking for some paperwork is pretty terrifying if you have been cheating on your taxes. :)

I think it's actually something that will raise your anxiety level even if you are "pretty honest".

Also there are some borderline issues with taxes (and/or self employment or small corp) that can give you problems.[1] (One for example is deducting for a home office, another might be charitable deductions, another might be writing off some auto usage).

Think in terms of what happens when you see the flashing lights of a police officer in back of you. Even if you haven't been speeding you don't automatically think "no problem I didn't do anything wrong" you get anxious thinking there might have been some mistake that you have made.

[1] See the typical business owner isn't Zuck and doesn't have an army of knowledgeable advisers to handle all the details. You are essentially on your own with your accountant.

I should have phrased that better. You're right, it is a bit frightening. But not on the same level as what we would think of as a real audit (I imagine, haven't had one).

But they should be scared. Why? Because it could be the tip of the iceberg. If you are able to sufficiently answer the inquiry they are generally done with you. Otoh, depending on the inquiry, if you are not you then possibly open yourself up to further scrutiny in the current year or future years.

What you are describing is a compliance audit. The parent either is responding to an automated quasi-audit request (which have different rules) or a traditional correspondence audit, which occurs through phone/mail and is generally confined to specific areas of a return.

That would be 1 in 1,000 people. If a million people in the US have used bitcoin, then that would mean 1,000 of them are going to be audited. That's quite a lot of audits.

And sure, 1 in 1,000 is nice odds, but you're still breaking the law. And some people care about not breaking the law on principle.

Also, if you do something the government doesn't like, then they can retroactively investigate you and bring the full force of the law down on you for tax evasion, which carries harsh penalties.

I have no bitcoin, but I've been audited. Unless your intent is to avoid taxation and you don't mind the risk, you should definitely pay tax on any bitcoins you've mined.

The IRS is 100% in the business of noticing when your tax filing doesn't jive with the numbers others reported to them about you. To have low risk of getting caught with unreported Bitcoin gains, you'd need to sell anonymously.

Keep in mind that they don't have to do this this year - they have 7 years to catch you evading tax in 2013.

Almost every email in this list is repeated twice. Only 1151 of the 2041 are unique.

The whole idea of Bitcoin was that you wouldn't use banks, but as we can see convenience trumps that.

Seeing a complaint about Coinbase every week makes me feel like they are a poorly managed company -- which is crucial if you're a company dealing with a lot of money.

Reputation is sacred for these kinds of companies and this stuff isn't helping. I was just about to sign up for them, I had their tab open in my browser, but I sincerely thought something like this would happen and that I would "be on a list." Tab's closed, now.

If this is the same "bug", the emails were not leaked. Someone already had an email list which enabled them to exploit an information leak to obtain names.

What's more ironic is that the gmail.com addresses comprise upwards of 80% of what's on this list. IRS -> FBI -> Google request. Does it make any difference if this is public or not? IRS has much easier ways of getting at your info than this.

> Coinbase provides your full transaction history to the FBI, FinCEN and IRS every day. They are under a gag order.

How is that legal/constitutional? It's one thing to monitor one "target's" transactions, but everyone's?

It's really hard for me to trust anything I read online on April Fools Day.

The easy way to see if anything is fake on April Fools Day is to determine if it follows Poe's law. Security breaches are always serious and never funny.

(Then again, r/games faked moderation corruption as their April Fool's joke. That did not go over well.)

So, users opt-in to providing their names to be used with Coinbase transactions, then are unhappy when said names are used?

Perhaps yesterday's "bug" reporter was unhappy at being dismissed (and he paid for Burp Suite, too!) so perhaps he decided to cause, in his words, "panic".

There's good reasons to dislike Coinbase but this isn't one of them. And of course the "full list" is bigger - the list just contains some previously-known emails and their associated, optional, Coinbase name.

I don't care if you are a bootstrap startup or a multi-million dollar vc funded giant, I will signup to your service with an email alias. This is the reason why.

It's easy to block the account if spammers get hold of it, nobody is able to double check if I use other services by comparing login emails, I know which service has leaked my email... bottom line, I am in control. I feel sorry for these Coinbase users.

Someone should market bitcoin to women. From a cursory review of that list of names, women don't seem to be signing up. Missing half the market...

Some members of the Bitcoin community have... some work to do in making women feel welcome. An illustrative blog post by a woman that went to a meetup:


“Well,” he says looking at me knowingly, “Women don’t usually think in terms of efficiency and effectiveness”.

ugh. that's so horrible.

Dogecoin is doing better on this score, although there's still a long way to go to hit 50:50

Women don't gamble as much as men do, so, good luck with that!

This doesn't seem like that big of an issue. Yes coinbase should protect against this, but it doesn't really cause a security threat of any kind (assuming you have a secure password). This is a list of people who have bitcoins, but if you have a secure password you should be fine, further you can change your email.

Actually it's a big deal, if your local bank allowed to do mass look-ups like that you would be receiving phisihing attempts that pretend to be that facility for the rest of your life.

And right now, an email is part of your security auth since it's email * password.

When email is known as a 'good user' that reduces that multiplication to just password.

I am curious why their contact form isn't posting over SSL http://support.coinbase.com/customer/portal/emails/new

While I want to contact support for help, I am hesitant to fully disclose my issue in their contact form.

Here you go: https://coinbase.desk.com/customer/portal/emails/new

support.coinbase.com is just an alias for their Desk account.

I may be missing something but your link is 301'ing to http://support.coinbase.com/customer/portal/emails/new so I really don't how I can submit a contact form over SSL.

It is kind of a moot point because I have committed to moving my bitcoin out of coinbase.

Strange. No 301 here. http://i.imgur.com/2eWQ2kP.png

Odd - if I go to https://support.coinbase.com/customer/portal/emails/new I get an untrusted connection warning since the SSL certificate is for *.desk.com, not support.coinbase.com.

That's not odd. That's why I linked to https://coinbase.desk.com since he wanted SSL.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact