The data obtained is an email address and a name (only if the user filled in the "name" field). This may as well be treated as public information.
1) Aids phishing attacks against Coinbase and customers
2) Oftentimes harmless tidbits of information can be combined to form non-harmless information. In this case, disclosing email, name, and the fact of being a Coinbase customer, or not, seems minor on its own. However, combine it with some other dataset (let's say emails/passwords taken from an unrelated site), and now it would be easier to break into accounts without setting off warning bells, since you already know who is a user or not.
Dismissing the information disclosure strikes me as akin to the "it's only harmless metadata" argument of the NSA. As we have already seen in many reports, "metadata" can be surprisingly powerful.
If one cares about the privacy aspect, then don't use an email that is tied back to you in any way, and certainly don't fill in your personal information.
If CoinBase is so needlessly sloppy then it's not hard to picture a Mt Goxish scenario in its future.
First, the vast majority of attackers are more "smash and grab" than "stealthy jewel theft." They really don't care about leaving tracks, they are going for volume. Want to phish people for coinbase creds? Email a mass of people. Have a list of usernames/password from a data breach? Attackers have automated tools that will automatically try them against thousands of websites. It's more expensive and time consuming for them to try and leverage minor info disclosures to narrow down their attack than to simply brute the crap out of everything. The economies of scale devalue the info discloure.
Second, you are making an apples-to-oranges comparison. The boolean "Is/Is not a Coinbase user" provides a single data point, and is far less valuable than a hundreds if not thousands of datapoints about who is communicating with whom, and for how long. The single piece of meta-datUM of Coinbase pales in comparison to the meta-datA of phone logs.
But if you know somebody has a lot of money, then the rational amount of effort to apply goes way up. That's why stealthy jewel thieves are stealthy.
Since the whole point of Coinbase is to contain money that, from other BTC sites, appears to be easily stolen and easily laundered, I think a set of known Coinbase accounts could well be worth the effort.
So, this sort of leak or enumeration basically reduces the (though tenuous) degree of security afforded by one's privacy.
Some people certainly do: https://twitter.com/search?q=just%20bought%20coinbase&src=ty...
I agree it's not ideal, but if your security relied on a guessable email address staying private, you're already not in a good place.
Bonus points: That screenshot also tells you I have an account with Patelco Credit Union.
If someone who is not an employee of either company manages to steal funds from me just based on that screenshot then there is some other security-issue somewhere else and it was bound to happen sooner or later.
Probably something like this, which I don't really see how you'd protect yourself against. Like getting hit by a car running a red-light.