You can find people's G+ profile if you guess the email correctly. I wouldn't be surprised if LinkedIn,Facebook,etc. had the same type of thing. I do think that coinbase-API should be rate-limited or unreplayable, but I'm _much more_ interested in where the email-list input data came from. My email wasn't in this alleged partial list, but if it was I'd like to know where they got my email from to begin with because the source of that email-list is the real problem IMHO.
I will say this though: Coinbase, please make sure there is absolutely no api call that returns banking/CC info!
This whole debacle is making a mountain out of a molehill.
They take in all mail - instead of telling the sending MTA that the account doesn't exist the message is accepted and sent to /dev/null. A bounce message may be generated but the automated MTA won't see that as the message will be carrying invalid mail sender information.