Almost any site that has a password reset can be used to verify whether an email account exists in that system - depending if the system tells you "no user with that username exists" or not. Coinbase is in no way unique with the amount of info they expose, which is the point they were trying to make on their "official" response.
I would have liked to see them announce that the API does have some sort of throttle and maybe they are going to think of ways to enable an option for this behavior or something - basically anything except to just dismiss it. Because even though I personally agree with them as far as the level of vulnerability - a lot of people don't and Coinbase doesn't seem to understand this perception problem.
1. User enters email in password reset form.
2. Website shows the same message whether the password was reset or not.
3. Email is what differs. If the account exists, send a password reset link. If it does not, send an email asking them if they want to create an account (and offer an unsubscribe link so people can't spam signup emails).
1. User enters email in signup form.
2. Website states it is sending an email to verify the account.
3. If it already exists, send a message saying they already have an account. If not, send the normal email verification link and then they can complete filling in their account details.
This prevent someone without access to the email from finding that the account exists, and also keeps the owner of the email filled in if they just forgot which email they used for the account or that they already had an account.
The problem is the convenience tradeoff. Take a site that has an instant green/red indicator that a username is already taken. People love the instant feedback, but it creates an attack vector. If you had to wait around for an email to see if you had already signed up - I bet a "Show HN" would have people here telling you that your site was user hostile! Even though it is unquestionably more secure.
I do think what Coinbase is doing now is not out of line with standard practices. But for a financial site they might be wise to start erring in the direction of security at the expense of a little convenience.
I don't think many banks (if any) will let you do a password reset based on your email address, they would use your credit card/account number as identifier of some sort not tied in to their authentication system or system that can be hacked (ie: email).
Them comparing a financial service API that deals with money to Google+ or Facebook should tell you as much.