Hacker News new | past | comments | ask | show | jobs | submit login

To be clear, the attacker got your email from somewhere else and confirmed that it was on Coinbase. That's the "bug." It's like if you went to go make an account with a certain email on Facebook and found that it was taken. You would then know that the person with that email has an account on Facebook.

Regarding user names, they are optional and meant to be public.

I think the biggest problem here has been that Coinbase hasn't been responsive to messages sent to their whitehat@ address. That and the fact that users are being spammed by "researchers," which is a problem that falls back on them to mitigate.

They haven't been "hacked" though, and the only thing that has been "leaked" is public account names and account existence. The latter is almost impossible to avoid if you require unique emails for accounts (if I'm wrong about that please correct me).

That's just my naive two cents, so let me know where I'm missing the picture if that's the case! :)

Im sceptical of this. My email was not published anywhere with regards to bitcoin or coinbase, I receive relatively little spam, yet I received 4 of these messages.

The original disclosure never claimed that emails were leaked. They were found somewhere else: http://blog.shubh.am/full-disclosure-coinbase-security/#poc

Their official response confirms this: http://blog.coinbase.com/post/81407694500/update-on-coinbase...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact