No Coinbase wasn't hacked, but it handled the accusations like a pro anyway

By Michael Carney , written on April 3, 2014

From The News Desk

With Main Street consumers just barely wrapping their minds around the concept behind bitcoin and other virtual currencies, it’s fair to say that trust in the system is weak. High profile corporate failures and lawbreaking by Mt. Gox, Silk Road, and others have only heightened suspicion. So the last thing the ecosystem needs is for one of its flagship generation 2.0 companies to meet the same fate.

Bitcoin faithful were forced to consider the unthinkable today, when for the briefest of moments Coinbase looked like it had been hacked. The two-year-old San Francisco-based wallet and payments company has raised the most venture-funding of any bitcoin enterprise and has backing from several notable investors – including Andreessen Horowitz*, Union Square Ventures, Ribbit Capital, and Y Combinator, among others – making it somewhat of a bellwether for the ecosystem as a whole.

Coinbase has denied suffering any sort of security breach and published a detailed explanation of the day’s events to its blog. Kudos to the company for handling a difficult situation swiftly and with appropriate transparency.

The incident began when a list of approximately 2,000 names and corresponding email addresses were uploaded to Pastebin by an anonymous user, who claimed that they were Coinbase users. The poster then accused the company of cooperating with the US government, writing, “Coinbase provides your full transaction history to the FBI, FinCEN and IRS every day. They are under a gag order.”

The Pastebin post has since been removed, but discussion threads on Reddit and Hacker News remain.

Coinbase writes:

Despite speculation on a few forums, there has been no data breach of names or emails at Coinbase... Specifically with regard to the ‘request money’ feature of Coinbase, it is highly inaccurate to suggest that names or emails were leaked or that there has been a breach. 

...We’d also like to address the claim of a “leaked” list of Coinbase emails and user names.  This list (the size of which is less than one half of one percent of Coinbase users) was not the result of a data breach at Coinbase. This list of emails was likely sourced from other sites - probably Bitcoin related ones.  It’s clear there was no data breach because no other user information is provided.

The company goes on to explain that a deliberate feature of its bitcoin payments service allows users to request funds from each other with only an email address, and that in the process the name of the user receiving the request is revealed, a process known as “user enumeration.” Coinbase writes:

It’s important to note that using an email address to determine if someone has an account on a service is the norm across most internet sites today. You’ll find that user enumeration is possible on Facebook, Google, Dropbox, and nearly every other major internet site. You’ll also find many leading payment services allow user enumeration, including Paypal, Venmo, Square Cash, and many others.

The company adds that offering user enumeration is key to “providing a positive and responsive user experience,” adding that for any nefarious actor to uncover the names of Coinbase users, they would first need to know these users’ email addresses.

At best, a would-be hacker who knows both the name and email address of a Coinbase user could try to implement a social engineering or phishing attack with the hopes of gaining access to that user’s funds. Coinbase acknowledges this, writing, “We’ve spent a good amount of time investigating this behavior and we believe that the risks are minor... we absolutely recognize that it can be an inconvenience and cause confusion.”

That said, many Hacker News and Reddit commenters claiming to be among those whose account details were published report receiving phishing emails today, including many requesting payment.

Coinbase explains that it has taken steps, prior to today’s incident, to prevent abuse of its platform. This includes implementing rate limits around sensitive actions like requesting money to prevent large scale phishing attacks.

There are several important takeaways from today’s events. First, any high profile consumer internet platform, especially those dealing with money, will be the target of hacking attempts. This means that not only do the companies operating these sites need to remain vigilant, but so do consumers. But that’s old news.

More illustrative is the speed and forthrightness with which Coinbase responded to what could have been a bad situation. (Let’s just hope they’re right and no breach has occurred). This response stands in stark contrast to the months of silence, cryptic non-statements, and outright lies by the leadership at Mt. Gox leading up to and following the exchange’s failure earlier this year.

In good times and in bad, there’s always a right way to address seemingly negative situations. By emerging on the right side of that line, Coinbase may ultimately gain user confidence following today’s incident.

As I’ve said previously, trust doesn’t grow in the shadows. Trust is forged under the glare of the brightest of spotlights. Coinbase survived that scrutiny today. Hopefully the next time shit hits the proverbial fan, it and other critical bitcoin companies will respond with similar poise.

(* Disclosure: Andreessen Horowitz partners Marc Andreessen, Jeff Jordan, and Chris Dixon are individual investors in PandoDaily.)

[illustration by Brad Jonas for Pando]