I'm pissed. My email address is among those leaked. I got two transaction requests, the first for 732342.34425 BTC and the second for 999999.99999999 BTC. The second had registered a username of "⚠ URGENT: Сoinbase hacked. We" so that the email subject line read "⚠ URGENT: Сoinbase hacked. We sent you a payment request."
I got my coin out of Inputs.io just a few days before they got hacked, and I've got a low balance in Coinbase. I'm going to make that a zero balance, because I've completely lost faith in any company's ability to manage Bitcoin.
Hot/cold storage as coinbase is using is probably better than any encryption. Even an end of world bug means that they can only ever lose a small portion of all stored user funds. Manual processing of this means there is some sanity checking on large withdrawals too. Encryption affords you none of that, I would be happier with coinbase than storing on any other online wallet for this very reason.
Just invest in a raspberry pi as an offline cold storage bitcoin machine. They're not expensive, and armory (or electrum) work fine on it. Make a paper backup and keep it in a safety deposit box if you have a large amount of bitcoins.
Please don't make personally aggressive remarks like "Were you born yesterday?" on Hacker News. It only adds negativity, not information. That breaks our two most important principles: optimizing for signal/noise ratio, and being civil.
Coinbase isn't some random website made in a basement. It's a well funded, YC backed, known-founder company that complies with relevant banking law. There's absolutely nothing to suggest that they hold a partial reserve or have any ill intention whatsoever.
Proving reserves doesn't help at all. They can die at any time from massive loss. Proof of reserve reveals whether there's a problem; it doesn't prevent any problem from happening.
To use a metaphor, a failed proof of reserve is like detecting that someone who's riding a motorcycle without a helmet has been launched into the air due to a car crash, and is about to hit the ground. That doesn't change the fact that they're not wearing a helmet in the first place. And in bitcoin's case, no such "helmet" exists. There is no protection for consumers against losing their funds by the exchange.
There's always going to be this massive risk of the coins disappearing due to any number of reasons: that they get hacked, that the founder steals them, that they lose them to some massive technical problem, that they experience another undocumented bitcoin protocol issue like malleability, that they lose access to their cold storage wallets, etc.
This has happened at, what, a dozen exchanges so far? They've all died due to one of the above reasons. Who's next? It's completely possible that Coinbase is next, and that you're recommending users throw their money away by trusting them. There's no reason to trust Coinbase. Keep your funds in your own secure cold storage wallet, and you'll have them forever. Keep them in Coinbase and you'll have them exactly as long as Coinbase lasts.
YC-backed startup means a culture of 'move fast and break things' - works for facebook, but definately not something I would want to store my bitcoin on, since 'break things' means 'losing all my money with no recourse'
That doesn't really suggest malice so much as ill attention. From their posts it sounds like they are stretched a little thin under the load, if they wanted to steal they would just be gone not occasionally unresponsive.
Same. It seems like it can't happen until it happens, and then you face the reality that it happened. It sucks, and there's absolutely no protection for consumers from it. There's not even any insurance policy that exchanges can purchase yet, which is pretty much the only hope at this point.
I've spent a couple months trying to come up with ways to protect bitcoin consumers, and the only thing I can think of is for exchanges to purchase some kind of high-risk insurance which will cover losses by the exchange. Nothing else will protect users, as far as I can tell, precisely because of bitcoin's irreversible transactions.
Honestly, the best thing for the bitcoin ecosystem is to learn from Paypal and Visa, and to emulate their good qualities. I know it's popular to hate on the existing ways of doing things, but the existing ways have a lot of hidden wisdom embedded in them.
Well, you could create a certification program in which member exchanges agree to a set of financial standards between each other - e.g. they would automatically do charge backs on disputes within the system.
This could lower the transactional-risk cost between doing business with certified exchanges, and still allow users to do business outside but with the increased transactional costs.
But then again you're just building another financial exchange system controlled by the certificate issuer - except it would need to be backed by some form of international enforcement (e.g. WTO?).
Yes, of course. And since transactions are completely irreversible on Bitcoin the insurance rate would have to be higher than otherwise, as there's no collateral for the insurance company to claim when they do payout.
This is the first I've heard that any insurance company is willing to fully insure any bitcoin exchange, and it's wonderful news. Thank you so much for pointing it out! I'll look into it and see whether it's as good as it sounds.
To be clear, the attacker got your email from somewhere else and confirmed that it was on Coinbase. That's the "bug." It's like if you went to go make an account with a certain email on Facebook and found that it was taken. You would then know that the person with that email has an account on Facebook.
Regarding user names, they are optional and meant to be public.
I think the biggest problem here has been that Coinbase hasn't been responsive to messages sent to their whitehat@ address. That and the fact that users are being spammed by "researchers," which is a problem that falls back on them to mitigate.
They haven't been "hacked" though, and the only thing that has been "leaked" is public account names and account existence. The latter is almost impossible to avoid if you require unique emails for accounts (if I'm wrong about that please correct me).
That's just my naive two cents, so let me know where I'm missing the picture if that's the case! :)
But a quick read over your ToS defines bitcoins as having no value and not subject to law ("Bitcoins and Litecoins ("Coins") do not constitute a currency, an asset or a form of property at law or otherwise") and that you're not responsible if they mysteriously vanish ("Any purchase or sale of Coins, for money, virtual currency or other consideration, involves inherent risks and may lead to the complete loss of any value, virtual currency or other consideration, and you agree to wholly accept any and all such risk.")
Does anyone know where or if the full list can be found? I have a Coinbase account but I don't see my name on the abbreviated list.
I suspect that the person who made this Pastebin just ran a huge list of known leaked emails, or dictionary based emails through the minor information leakage vulnerability discussed yesterday (https://hackerone.com/reports/5200). I would be willing to bet that this brief list is actually all he got back, and he is just lying when he says "Full list much bigger."
Since the vulnerability was reliant on knowing the email first, and since my email used on Coinbase is not a known email that I publicize I doubt he would have been able to discover my Coinbase account, nor the Coinbase accounts of anyone else who uses a sufficiently random and unknown email address when signing up.
Hi, Ryan here - We've moved over to hackerone.com/coinbase, and emailed everyone at the whitehat@ address about the transition. We'll be getting in touch for the details and will get an autoresponder up on whitehat@. We don't view missed reports as a good thing, we'll do better and have already made improvements.
Apropos nothing else and without judging the actual report you're referring to: if you set up a "whitehat@yourdomain" or "security@yourdomain" alias, you need to be responsive. You can't ignore good-faith messages because you don't think they're valid. You have to act like all good-faith messages are urgent.
Those aliases are cheap insurance, but they aren't free: they'll cost you some tech support cycles.
Seriously, this. They are being nonchalant about this whole thing, but it may be damaging their most valuable asset - the community's trust in them. Just don't ignore repeated attempts to contact your whitehat address.
They're actually downright expensive addresses to maintain, and they don't cost tech support cycles, they cost security engineer time.
A basic tech support person might be able to fend off the dozens of word salad "security notifications" sent by ESL students, but as they get more complicated and no less often irrelevant, you need people who actually know how your infrastructure works.
On top of the technical hassle comes the customer experience hassle of keeping a bunch of wanna be hackers happy as they demand rewards and their name on your site for their idea of a CRSF vulnerability that happens to have no basis in reality.
The backlash against these aliases is perceptible, but remember that the worst-case scenarios we're talking about today, when those addresses aren't properly staffed, was the default case before they became a common feature of startups.
According to the original researcher, he mailed them and got no response, and got no response at all from several other attempts at contact,.
I wouldn't be surprised one bit to find that the inbox for that address is full of spam and crackpots, but, like 'tptacek said, if you're going to have the list you had better dedicate resources to reading it.
Then how am I on the list with an email I only use at coinbase? With my full email and name, and i'm getting spammed non-stop by this "non-important" security flaw in your system.. multiple times today and counting.
BofA and Wells Fargo suffer from account number enumeration.
Wells Fargo has 10-11 digit (depending on if it's WF or previously Wachovia) account numbers. One portion defines the bank branch where the account was opened, another portion defines the account type, and the last digit is a check digit. You can guess at an account number by attempting a deposit (in person or online).
There's also the fact that BofA and Wells Fargo have account numbers displayed in cleartext on pieces of paper that are handed to strangers.
I'm not arguing the merits of Coinbase's security, but traditional banks don't fare well either. Coinbase can improve. Traditional banks are limited by standards that they can't change.
Two months ago I was able to enumerate all accounts from a local bank (Paraguay), they used document number and numeric passwords for login. They were showing different error messages when you tried to login with a nonexistent ID.
So I started generating random numbers between common document number ranges (1000000-4000000).
Our public health system has a web app that lets you check your enrollment status by entering an document #, and there are no CAPTCHAs! So the attack was like this: generate a random document number, send a request to the public health app and get the target's info (name, date of enrollment and other info).
The most interesting thing was that I tried to login into all accounts by using the birth date of the target as a password (the bank's password policy: just numbers, a min. of 6 numbers...). Around 40% of the clients were vulnerable.
I have communicated the public health app problem (actually they just need to put a CAPTCHA) many times but it seems that nobody cares. About the bank, I was working as a data science consultant at that time, so it was easy for me to knock the door of the security department and tell them about my attack.
I remember a story here a few months ago about a person who had deposited tens of thousands of dollars with Coinbase, and they refused to give the customer his coins. That was a clear sign that the systems and processes at Coinbase were broken.
The fact that they didn't help the customer until they took their grievances public indicated to me that either Coinbase don't care about their customers, or they were too busy trying to balance their books because of some proprietary trading gone wrong.
Thus I think it was foolish of Coinbase to release the letter condemning MtGox. Now anything that happens to Coinbase makes them look like total hypocrites. People, glass houses, stones etc.
It's one thing for a magic card trading company to morph into a Bitcoin exchange and have problems... but for a hot-shot start-up in San Francisco with self-proclaimed tech superstars at the helm and millions in the bank to screw up royally, well, it's just embarrassing.
UPDATE: For anybody following Bitcoin news, this is obviously satire, replacing MtGox with CoinBase. Surprised people downvoted this.
There are rumors that a joint statement will be released at 5PM Pacific Time...
Joint Statement Regarding CoinBase
Apr 1st, 2014
The purpose of this document is to summarize a joint statement to the Bitcoin community regarding CoinBase.
This tragic violation of the trust of users of CoinBase was the result of one company’s actions and does not reflect the resilience or value of bitcoin and the digital currency industry. There are hundreds of trustworthy and responsible companies involved in bitcoin. These companies will continue to build the future of money by making bitcoin more secure and easy to use for consumers and merchants. As with any new industry, there are certain bad actors that need to be weeded out, and that is what we are seeing today. CoinBase has confirmed its issues in private discussions with other members of the bitcoin community
We are confident, however, that strong Bitcoin companies, led by highly competent teams and backed by credible investors, will continue to thrive, and to fulfill the promise that bitcoin offers as the future of payment in the Internet age.
In order to re-establish the trust squandered by the failings of CoinBase, responsible bitcoin exchanges are working together and are committed to the future of bitcoin and the security of all customer funds. As part of the effort to re-assure customers, the following services will be coordinating efforts over the coming days to publicly reassure customers and the general public that all funds continue to be held in a safe and secure manner: Kraken, BitStamp, Circle, and BTC China.
We strongly believe in transparent, thoughtful, and comprehensive consumer protection measures. We pledge to lead the way.
Bitcoin operators, whether they be exchanges, wallet services or payment providers, play a critical custodial role over the bitcoin they hold as assets for their customers. Acting as a custodian should require a high-bar, including appropriate security safeguards that are independently audited and tested on a regular basis, adequate balance sheets and reserves as commercial entities, transparent and accountable customer disclosures, and clear policies to not use customer assets for proprietary trading or for margin loans in leveraged trading.
The following industry leaders stand by this statement:
Jesse Powell — CEO of Kraken
Nejc Kodrič — CEO of Bitstamp.net
Bobby Lee — CEO of BTC China
Nicolas Cary — CEO of Blockchain.info
Jeremy Allaire — CEO of Circle
p.s. Yes, this is the MtGox letter... who will be the last man standing? :-)
The possibility of this being misinterpreted as valid is rather high. I think your point could have been made well with a single explaining sentence up front and without the name substitution in the actual content.
These guys stuck the knife into MtGox... when they themselves are no better.
Check the forums over at BitcoinTalk, for months now, people using Kraken have been unable to withdraw their money, and deposits have been going 'missing'. The fact that support is conducted over a public forum, out of sheer desperation on the customers part, tells you something.
If CoinBase did go down, would you bet against the other providers crafting a public relations message to drum up business for themselves? It's dog eat dog out there - the idea that there is a community of Bitcoin businesses looking out for each other is a joke.
What does that have to do with what I said? I think the manner in which you made your point has too high a chance of being misinterpreted to be acceptable here, which is probably why it was being downvoted.
Oh, I could care less about the company, but I do care about the integrity of HN as a whole. That doesn't mean I don't like the occasional joke on here either, but since that story seemed a bit light on details and people were looking for information, posting satire that looks very much like valid information can be unintentionally misleading.
Since Coinbase is a financial-esque firm that deals with and stores peoples money/BTC it is not at all alright for this to be treated as public information, even if someone already had the email address.
I know CB is not a financial company and they are not obligated to provide the same protections to consumers/customers.
Phishing is not the only reason why a customer would not like their bank to confirm that they have an account.
As a matter of fact in this situation, when someone sends a fund request, CB should never let the requesting party know the name of the account holder, unless the account holder explicitly gives them permission, maybe not even then.
With any other organization law enforcement would require a warrant to get basic confirmation if a customer has an account and the name on the account.
I work on dating sites, some of them a bit risqué.
On the password reset form, there's a big difference between saying "That email does not exist in our system"/"Emailed password reset instructions" vs "If that account is registered, we will email you instructions".
For the case of people attempting to sign up a second time with the same email address, don't change anything shown from the webpage. Instead of sending a verification email, send an email informing them that someone is trying to sign up again with the same email address, and include an expiring password reset link in that email. If you see too many users forgetting that they've already signed up, and getting frustrated by filling out too much data in forms before finding out they've already signed up, then consider moving the email verification step earlier in the signup process.
So you'll allow a user to go all the way through the process of registration, create a new password, get temporary access to your site... and then what... not save that password? So a re-login attempt won't work?
I can't see how you can avoid making the experience for the duplicate user exactly the same as a new user.
> I can't see how you can avoid making the experience for the duplicate user exactly the same as a new user.
The workflow diverges at the email verification step, before you grant any access to the site. Existing users get an email informing them that someone has tried to sign up a second time using their email address while new users get the standard email verification email.
I highly recommend not allowing account creation before email address verification. I have a difficult to spell last name, so I have one email address that contains my initials and a common word instead of my last name. You'd be surprised the number of people who don't know their own email address and the number of sites that allow people to sign up (and apparently transact significantly) without verifying email addresses. Off the top of my head, if I wanted to, I could steal one person's tax accounting account (I got confirmation that they filed their state taxes this year, and later confirmation their state accepted their filing), another person's car rental account, and a third person's business's trash service account. From time to time the one person tries to reset their car rental account password. I imagine I could reset the passwords for all of these accounts (and others) and get the last 4 digits of their credit card numbers and other personal information and use that as a starting point for gaining access to other accounts they own. In the case of the tax account, I could probably re-download the tax paperwork and get their SSN. Neither the tax accounting company nor the car rental agency replied when I informed them that accounts were set up with the wrong email addresses. (I also get business quotes from time to time. Hopefully some day I'll get email from a business or person who knows the person who keeps trying to reset their car rental account.)
If you have enough users who forget they already have an account and your signup process makes them get too far before verifying their email address, consider moving email verification earlier in your workflow.
Applying it over the Internet is quite feasible, especially with simple code. If it connects to a remote SMTP server, the delay may very well be noticeable enough without doing any complicated timing. It might be just about as easy as scraping the page for "user not found" versus "email sent".
I assume that was the original point - that on risque dating sites, the recover password system tries to hide membership.
It gives the full name associated with an email address. A more dramatic but analogous situation would be if an attacker were able to attain password info or credit card info associated with an email address.
Just because email address is known does not imply that other personal information should be given away.
If someone has your email address it is impossible for coinbase or any service to stop that person from checking if you have an account. All they have to do it try registering a new account with your address and see if it lets them (as most services don't allow multiple accounts to use the same email address).
It doesn't need to be impossible. The problem could be designed away: on form submission send an email saying 'looks like you already have an account' or 'welcome... next steps' and just show a 'check your email' message in the browser.
If you want a service that allows the sender to verify name before sending, make it a feature that both:
(1) is opt-in on the recipient's side and fails with something like "that recipient email address doesn't have an account, the name doesn't match, or they haven't decided to allow name verification"
(2) is only available on payments above your highest guess at the expected value of matching an account-email-name triple for spearphishing, and the error messages (and timings) are identical if the name doesn't match or the given email address doesn't have an account.
I imagine there are few profitable attacks where an answer "yes, email_address with name has a Coinbase account" costs a minimum of 100 USD to an attacker and getting an answer "Either email_address doesn't have an account, that name doesn't match our records, or they've chosen not to share their name" costs 0 USD. However, I'd have to think a bit more about that 100 USD minimum.
That sounds innocuous. But it's easy for, say, mobile badware to harvest contact lists. By targeting non-anonymous bitcoin holders as a "seed" list and using exposed contact lists like LinkedIn contacts, you can ratchet your way up into disclosing a lot of people who would prefer not to be known, lest the become phishing targets.
Doesn't seem innocuous. Maybe coinbase ought to be making pseudonymity more easily accessible.
For what it's worth, I have a coinbase account linked to a gmail address in the form firstname.lastname, where both are common names. I'd expect it to be in a dictionary based list, and it's not on the pastebin.
At this point I would not trust Coinbase, their engineering department shows that they have very little clue when it comes to building a secure infrastructure.
Not only they are not rate limiting and leaking names, their
implementations are simply laughable.
With a proper design, customer should have been allowed to either enable/disable that end-point when somebody is searching for their email, or there should have been an option to have a 'whitelist' a set of users/user that are able to look up that information and make a transaction request.
On top of that, they should have been able to detect a pattern such as this attack and pro-actively block it.
This would pass for a to-do app API but Coinbase? Wow.
I haven't really lost my trust in Coinbase due to this issue but I do find it annoying the way they are handling it so far.
Almost any site that has a password reset can be used to verify whether an email account exists in that system - depending if the system tells you "no user with that username exists" or not. Coinbase is in no way unique with the amount of info they expose, which is the point they were trying to make on their "official" response.
I would have liked to see them announce that the API does have some sort of throttle and maybe they are going to think of ways to enable an option for this behavior or something - basically anything except to just dismiss it. Because even though I personally agree with them as far as the level of vulnerability - a lot of people don't and Coinbase doesn't seem to understand this perception problem.
It is certainly possible to allow for password resets and account creation as well without revealing whether an account exists.
1. User enters email in password reset form.
2. Website shows the same message whether the password was reset or not.
3. Email is what differs. If the account exists, send a password reset link. If it does not, send an email asking them if they want to create an account (and offer an unsubscribe link so people can't spam signup emails).
1. User enters email in signup form.
2. Website states it is sending an email to verify the account.
3. If it already exists, send a message saying they already have an account. If not, send the normal email verification link and then they can complete filling in their account details.
This prevent someone without access to the email from finding that the account exists, and also keeps the owner of the email filled in if they just forgot which email they used for the account or that they already had an account.
I agree 100% this is the right way to do it. And it's really not any more difficult to implement.
The problem is the convenience tradeoff. Take a site that has an instant green/red indicator that a username is already taken. People love the instant feedback, but it creates an attack vector. If you had to wait around for an email to see if you had already signed up - I bet a "Show HN" would have people here telling you that your site was user hostile! Even though it is unquestionably more secure.
I do think what Coinbase is doing now is not out of line with standard practices. But for a financial site they might be wise to start erring in the direction of security at the expense of a little convenience.
Yes, this is the right workflow, but, you'll be surprised how very few services implement this properly! Another thing that most services don't implement is providing geolocation and other pieces of info in password reset emails and the ability to report that you didn't request that with some basic flagging (even as simple as flagging that session), which would prevent that guy of keep resetting it. The ability to add login email notification is also priceless.
I see your point, but keep in mind that Coinbase deals with money.
I don't think many banks (if any) will let you do a password reset based on your email address, they would use your credit card/account number as identifier of some sort not tied in to their authentication system or system that can be hacked (ie: email).
Them comparing a financial service API that deals with money to Google+ or Facebook should tell you as much.
I assume someone took a huge list of emails and ran them through the Coinbase API as described in https://hackerone.com/reports/5200 and retrieved their full names, and is now scaremongering. I do not think they are enumerating users from the coinbase database, but who knows.
You're right. As a Coinbase customer, neither my name or Coinbase-only email address was in this list.
What you describe is exactly the exploit that was disclosed and exactly what the person exploiting it seems to have done based on the content of the list. Of course, Coinbase argues that this is a feature and not a bug.
It could also be that you are reading too much into it.
>"Here is a partial list of Coinbase user emails and their full names. Full list much bigger."
Where does it say in that sentence that he the OP has access to the "full list"? It doesn't say that. It implies it, which you picked right up on. But he doesn't explicitly say, "Here is a partial list of the full list in my possession".
This is highly likely to be true, and even if it's not, everyone should operate as if it's true. With the meteoric rise in price appreciation, I can't imagine the IRS at some point not requiring that the largest companies directly report users' income or capital gains to them. So don't be tempted to under-report your bitcoin gains. Similarly, the FBI and other money regulators have clearly shown their strong interest in stopping illegal activities conducted with Bitcoin, so I can't imagine them not receiving information from the largest companies and exchanges.
The allegation of a gag order is a bit odd, however. This should all be fairly obvious, so I'm not sure why anyone would want to keep it secret. Counting on the hubris and naivety of criminals, I guess?
What form would the IRS require it to be filed as? I don't know of any industry/company that is required to file a monthly/daily 1099 for customers. Even the banks are only required to file that stuff yearly via a Schedule D.
Oops, you are right, I totally read that too fast and didn't catch the allegation of "full" transaction history being provided "daily" for all users. That seems like way more detail than the IRS or FinCEN needs...even the FBI is likely more targeted than that.
Also, I should note I am no expert on this topic, I just think people would be very foolish to cheat on their taxes or commit financial crimes via Coinbase or any very large exchange. One should assume government prosecutors or tax collectors can and do access it just as easily as with the regular banking infrastructure (to whatever extent that is), even if they don't actually do so yet.
Yes. I read something about a library that had a sign up, "No government agents have been here." They would take down the sign during an investigation. Any one who knew the sign -was- there knew an investigation was underway. No gag order was broken. There is a name for this type of flag, but don't know it off hand.
It also discloses whether someone is a customer or not. Possibly en masse. Problems:
1) Aids phishing attacks against Coinbase and customers
2) Oftentimes harmless tidbits of information can be combined to form non-harmless information. In this case, disclosing email, name, and the fact of being a Coinbase customer, or not, seems minor on its own. However, combine it with some other dataset (let's say emails/passwords taken from an unrelated site), and now it would be easier to break into accounts without setting off warning bells, since you already know who is a user or not.
Dismissing the information disclosure strikes me as akin to the "it's only harmless metadata" argument of the NSA. As we have already seen in many reports, "metadata" can be surprisingly powerful.
I would argue that using a personal email and filling in your full name on coinbase, who CLEARLY state you have no expectation of privacy in this regard, is effectively the same as publicizing the information.
If one cares about the privacy aspect, then don't use an email that is tied back to you in any way, and certainly don't fill in your personal information.
While I don't find Coinbase's response here reassuring, if you work with a business whose bizmodel is "people can send money to your email address" then it becomes essentially impossible to stop someone from verifying that your address exists.
First, the vast majority of attackers are more "smash and grab" than "stealthy jewel theft." They really don't care about leaving tracks, they are going for volume. Want to phish people for coinbase creds? Email a mass of people. Have a list of usernames/password from a data breach? Attackers have automated tools that will automatically try them against thousands of websites. It's more expensive and time consuming for them to try and leverage minor info disclosures to narrow down their attack than to simply brute the crap out of everything. The economies of scale devalue the info discloure.
Second, you are making an apples-to-oranges comparison. The boolean "Is/Is not a Coinbase user" provides a single data point, and is far less valuable than a hundreds if not thousands of datapoints about who is communicating with whom, and for how long. The single piece of meta-datUM of Coinbase pales in comparison to the meta-datA of phone logs.
The second point is a bit of a straw-man. I never meant to imply that this Coinbase disclosure and the NSA metadata are proportional in terms of severity; just that they are structurally similar. The point is that small bits of information can become surprisingly big with the right analysis and effort.
That first point strikes me as irrelevant here. Smash and grab is what you do when your probability of success and/or your take size is small.
But if you know somebody has a lot of money, then the rational amount of effort to apply goes way up. That's why stealthy jewel thieves are stealthy.
Since the whole point of Coinbase is to contain money that, from other BTC sites, appears to be easily stolen and easily laundered, I think a set of known Coinbase accounts could well be worth the effort.
Do you publish that you have a Coinbase account? That's the issue. Now these people are valuable targets for spear phishing and other attacks on their e-mail accounts because it's known that they have hot access to at least some amount of Bitcoin. Without that information, an attacker is shooting blind.
So, this sort of leak or enumeration basically reduces the (though tenuous) degree of security afforded by one's privacy.
Last time a politician was worried about non-zero probabilities, the U.S. invaded Iraq. I mean, if changing the probability someone's home gets broken into is our standard of practice nowadays there's a lot of companies which will have to close down today.
I reckon non-anonymous bitcoin holders are at greater risk than the average person with money in the bank, since draining the account of the former is a relative cinch once the keys are divulged. The whole crime could be completed within a few minutes.
That much may be true, but I'd consider that an inherent risk associated with using Bitcoin without using a pseudonym. Maybe I'm naïve but I have to assume people who care about such things are already tracking IP addresses directly from the Bitcoin network swarm itself for later investigation...
If an employee of either company steals from me, I'd expect them to be easily caught. If Coinbase decides to steal 1k from everyone then shutdown that would be crazy since the people behind Coinbase are very well known and in SF; I accepted that risk when I signed up. If someone inside Patelco decides to steal from me, that's a heavly regulated financial establishment - I don't think that person could get away with it or that Patelco wouldn't reimburse me.
If someone who is not an employee of either company manages to steal funds from me just based on that screenshot then there is some other security-issue somewhere else and it was bound to happen sooner or later.
Probably something like this, which I don't really see how you'd protect yourself against. Like getting hit by a car running a red-light.
I wasn't saying they would steal from you. I was referring you trusting their competence to do their job right and not be social-engineered by some hacker into giving them access to your accounts.
Thank you for the downvote.
You can find people's G+ profile if you guess the email correctly. I wouldn't be surprised if LinkedIn,Facebook,etc. had the same type of thing. I do think that coinbase-API should be rate-limited or unreplayable, but I'm _much more_ interested in where the email-list input data came from. My email wasn't in this alleged partial list, but if it was I'd like to know where they got my email from to begin with because the source of that email-list is the real problem IMHO.
I will say this though: Coinbase, please make sure there is absolutely no api call that returns banking/CC info!
Do it enough, and you get a CAPTCHA, do it more, and you get banned by IP. I would assume that the limits are set to a point that it's very difficult to enumerate the database in any reasonable timespan.
In an not-yet-authenticated state your code should do everything it can not to tell a potential hacker something they do not already know. Being able to check if an account exists and being able to read of the full name associated with it are not the worst problems in the world (though knowing the full name could make fishing attacks slightly less unconvincing) but if you take the attitude of never telling an attacker anything no matter how innocuous you think the information is then you are less likely to accidentally let something sensitive slip due to a bug.
SMTP's the API for checking if an address exists at any mail provider. Start sending a mail, if the server doesn't tell you there's no such mailbox right then, you can abandon the connection without sending a message through. No CAPTCHAs there either.
Many mail servers delay account checking for that very reason.
They take in all mail - instead of telling the sending MTA that the account doesn't exist the message is accepted and sent to /dev/null. A bounce message may be generated but the automated MTA won't see that as the message will be carrying invalid mail sender information.
Many mail relays, especially spam appliances like Barracuda, will always give an 250 OK to the email address provided to prevent exactly this trick. They then toss as spam or bounce once they get the message.
This is not a "leak". All of these email addresses were already in the wild. The "attacker" simply tested if Coinbase accounts matched these emails.
Think about it. Email enumeration is possible if accounts associated with an email address. Otherwise forgot password forms would simply say successful even if someone typo'd their address (terrible UI) or the signup forms would allow multiple accounts with the same email address.
Actually, many password forget forms do not provide any information about whether the email was recognized or not. More than once I've seen a message along the lines if "If the email entered was associated with an account, a password reset has been sent.".
EDIT: On the other hand even if the response is always the same, I expect most implementations to be vulnerable to a timing attack ;)
Queuing up an async message still takes time. As does reading a row from a database and materializing an object. So "most" is really probably nearly all unless they take explicit steps to make sure the same amount of work is performed in either case.
Erik: Our engineers are aware of this development and concluded that the released information was not acquired through a security breach in our systems. Instead, the poster was already in possession of your email address and used our "Request Money" functionality to obtain the name given to our system on the Settings page of your account (https://coinbase.com/settings). Although this is an intended feature, we understand that some users may wish to not disclose information to third-parties that are able to obtain their email addresses. As such, we are working on improvements that will give users an option to hide their name from other users.
> It keeps phishing attacks from being able to cross services (since if you get a citibank email to your coinbase email that would be a big flag) and it reduces the attack surface on other sites.
Or, more importantly, it lets you authenticate the sender in some way. Citibank has to send you email to you.citibankiscool1253stuffonlyIknow@example.net and it is unlikely for a spammer to guess that exact wording (without also trying hundreds of others, which would give it away by filling your inbox).
firstname.lastname@example.org is at least a distinct email address, unlike using +. Especially if you use different passwords for each account, it means if one of the emails is compromised then the attacker can't use it to recover passwords of your other sites.
If you do a filter like this: All mail that arrives to email@example.com is important. Everything else is spam. Of course you might not get emails from people who sends emails to firstname.lastname@example.org nor email@example.com because the emails go to spam.
Depends on how smart the spammer is, and how much they care. Most spammers a) are not very bright, and b) are in a volume business. Even the ones smart enough to do this may not think it worth the time to possibly improve a tiny percentage of harvested addresses. Especially since those of us who are dedicated enough to maintain tagged addresses are unlikely to respond positively to spam no matter what address we receive it on.
I use _, not "+" and anybody else might use "." or "-" depending on the configuration of their mail server. Sure, you can always add the full email and every possible stripped email to your lists, but in practice, few people seem to do that (judging by the amount of spam I get to firstname.lastname@example.org as compared to email@example.com).
I've found that when signing up for things, a lot sites don't allow the "+" in the email. They'll throw a email validation error. But at one point this was a good technique, I just think many sites have either don't allow it or can easily get around it
You can always use a service such as spamgourmet to "protect" your main email and be able to disable email addresses at any time. All the emails you get from the disposable email addresses just go to your main email address. Also the email address each email goes through is repeated in the subject line, so it's easy to keep track of things. (you can also get a list of all your disposable email addresses from their website)
This file is in the same standard aliases(5) file format:
I started doing this when I moved all of my mail off of Google. It has the advantage (over firstname.lastname@example.org) that it doesn't reveal my real mailbox. It does very quickly reveal who shares/sells my e-mail address, though. When that happens, it's simply a matter of deleting the alias from the file.
I'm being audited right now (over a $2,500 student loan interest deduction, of all things) and it's totally automated. It seems like they have an internal process that goes "Taxpayer claimed deduction, IRS doesn't have paperwork matching payment activity, ergo send letter asking taxpayer to pony up".
If Coinbase is going to report earnings to the IRS, it's a good idea to match what they report or you might trigger the algorithm.
At least at the state level (MA), the automated system is considered an audit. I recently received notice that an "audit" (their word) of my state tax return detected a discrepancy with my federal return. When I called, I was told that it was caught automatically.
So I think the manual and automatic processes are considered to be two forms of the broader term "audit".
What you are describing is a compliance audit. The parent either is responding to an automated quasi-audit request (which have different rules) or a traditional correspondence audit, which occurs through phone/mail and is generally confined to specific areas of a return.
"An audit may be conducted by mail or through an in-person interview and review of the taxpayer's records."
"You will be provided with a written request for specific documents needed."
"An IRS audit is a review/examination of an organization's or individual's accounts and financial information to ensure information is being reported correctly, according to the tax laws, to verify the amount of tax reported is accurate."
Consquently by my interpretation (and actual experience over many years) your last sentence is not correct.
I think it's actually something that will raise your anxiety level even if you are "pretty honest".
Also there are some borderline issues with taxes (and/or self employment or small corp) that can give you problems. (One for example is deducting for a home office, another might be charitable deductions, another might be writing off some auto usage).
Think in terms of what happens when you see the flashing lights of a police officer in back of you. Even if you haven't been speeding you don't automatically think "no problem I didn't do anything wrong" you get anxious thinking there might have been some mistake that you have made.
 See the typical business owner isn't Zuck and doesn't have an army of knowledgeable advisers to handle all the details. You are essentially on your own with your accountant.
But they should be scared. Why? Because it could be the tip of the iceberg. If you are able to sufficiently answer the inquiry they are generally done with you. Otoh, depending on the inquiry, if you are not you then possibly open yourself up to further scrutiny in the current year or future years.
The IRS is 100% in the business of noticing when your tax filing doesn't jive with the numbers others reported to them about you. To have low risk of getting caught with unreported Bitcoin gains, you'd need to sell anonymously.
Reputation is sacred for these kinds of companies and this stuff isn't helping. I was just about to sign up for them, I had their tab open in my browser, but I sincerely thought something like this would happen and that I would "be on a list." Tab's closed, now.
Why the fuck would someone keep cash in a central repository if the whole purpose of bitcoin is to be de-centralized? It's like, hey, I have a car so I can get around town any time I want, so let me park it with a bunch of other cars in a dark open lot 2 miles from my house. Sure, I have to take a short bus ride to get to it, and it could be stolen or broken into at any time, but that's the price I pay for convenience, versus just keeping it in my garage where it's much more inconvenient for anyone to steal or damage it. (?????)
A website is not a bank. There are no armed guards or vaults and there is no federal insurance for your bitcoin. You're basically all handing your money to some guy who keeps all the coin on the second floor of a corporate office with a single old dude standing guard at the elevator. It's totes hard to get past that guy, because like, he has a badge and a hat and everything.
Coinbase is more like an AC'd storage facility with locks on the doors and people on staff checking IDs than an a "dark open lot 2 miles from my house". Yeah, its not Fort Knox, or even a basic bank vault, but if I think I'm much more likely to lose a thumb drive or have my computer stolen than suffer a catastrophic problem with a storage facility owned by reputable people, how does it not make sense?
That said, I'd probably be thinking about this a lot harder if I had any serious money put away in bitcoin. A storage facility is not an appropriate place to store 5 tons of gold.
What's more ironic is that the gmail.com addresses comprise upwards of 80% of what's on this list. IRS -> FBI -> Google request. Does it make any difference if this is public or not? IRS has much easier ways of getting at your info than this.
So, users opt-in to providing their names to be used with Coinbase transactions, then are unhappy when said names are used?
Perhaps yesterday's "bug" reporter was unhappy at being dismissed (and he paid for Burp Suite, too!) so perhaps he decided to cause, in his words, "panic".
There's good reasons to dislike Coinbase but this isn't one of them. And of course the "full list" is bigger - the list just contains some previously-known emails and their associated, optional, Coinbase name.
I don't care if you are a bootstrap startup or a multi-million dollar vc funded giant, I will signup to your service with an email alias. This is the reason why.
It's easy to block the account if spammers get hold of it, nobody is able to double check if I use other services by comparing login emails, I know which service has leaked my email... bottom line, I am in control. I feel sorry for these Coinbase users.
This doesn't seem like that big of an issue. Yes coinbase should protect against this, but it doesn't really cause a security threat of any kind (assuming you have a secure password). This is a list of people who have bitcoins, but if you have a secure password you should be fine, further you can change your email.
I am well-familiar as I'm an early adopter (and sufferer), but how about having a button "report spam/scam"? If I "decline", the attacker will get a confirmation I'm logged into my account and my email and account are verified!
Silent downvotes are cowardly! Yes, they are morons as the issue was reported to them and they refused to address it - it clearly shows that they don't rate-limit the API, which is moronic! Just because Coinbase is a YC company, it doesn't mean we should put up with their crap again and again! Just recently had to get bitcoins and they cheated on the rate again and again! I really don't like that anybody can pollute my history with fake requests like this either! Poor design choice, that what it is! Just like storing transactions in MongoDB, just because it's cool and "first" in the financial industry!
You're right, of course, and maybe I should have said "nothing wrong with submitting an article to hn without putting an established identity or even your real-life personal safety on the line". I suppose it was my desire to express with that comment my wider frustration regarding stuff like facebook/google+ real name policies that made my opt for a less accurate statement.
In general I agree, although there are certainly times when anonymity could be problematic even submitting an article on HN - for example, lying about an individual or a company, or starting a dangerous rumor.
The benefit of anonymity is, generally, to protect the anonymous from retaliation for things said or done anonymously. This is important, priceless even, when evil is being done by the powerful. For example, whistleblowing.
So the question is, is anonymity being used in any given case for good, neutral, or evil?
In the case of Facebook/Google+, I think the policy is understandable, if annoying. There's no business benefit to them to provide anonymity, and substantial business risk if they do.
The comment I was responding to seemed like a blanket condemnation of anonymous submissions, so I felt like a blanket rejection of that statement was in order. With regards to protecting whistleblowing versus people starting dangerous rumors, I think we can safely err towards accepting anonymous submissions without scrutiny since the community is already fairly skeptical.
I don't feel compelled to sympathize with Facebook/Google+'s business cases. I'm not criticizing their business acumen, after all.
The consequences of anonymity can be problematic. For example, theft. Or assault.
Of course, I expected to be pounded down for my comment, because frankly, the simpleminded libertarian wannabes are idiots. They got offended and had no idea that I'm actually a huge proponent of anonymity, despite my strongly implying it in the comment. I want anonymity. But I don't pretend that it's magical pixie dust that makes everything better and has no negative consequences.