Coinbase Merchant Data Leak?

I think we should all calm down and look at this in a little more detail.<p>A simple look at <a href="https://coinbase.com/merchants" rel="nofollow">https://coinbase.com/merchants</a> will show you a screenshot of a merchant page that looks exactly the same as those 'exposed' by google (<a href="https://encrypted.google.com/search?q=site:https://coinbase.com/checkouts/" rel="nofollow">https://encrypted.google.com/search?q=site:https://coinbase....</a>)<p>Until proved otherwise, I believe these pages to be merchant pages actually selling the items, as the copy also suggests ("Send 1.00BTC to...", "Comfirm payment"). The confusion must come, I suppose, from the ambiguous urls that contain /checkouts/... and from people not really liking Coinbase?<p>Edit: Funny how this is a perfect example of the 'URLs are for people, not computers' argument that is number 2 on HN right now.

Wow, this company went through YC? I hope they only invested bitcoins...<p>It's one thing to lose people's bitcoins or randomly delay/cancel transactions (both of which Coinbase has been accused of). People know that bitcoin is still young and the companies supporting it are inexperienced, so they expect that. But exposing personal info and purchase history goes beyond any definition of 'unacceptable' or 'incompetent'. Over in the Reddit thread, they're already linking Facebook accounts with illicit transactions.<p>Users from Bitcointalk told Coinbase a week ago that they were starting to get phishing emails, which means someone has been mining this data for a while now. Yet there it is, <i>still</i> available through a simple Google search.

Jesus H Christ, this is quite a fuck up. Over on /r/bitcoin there's a comment linking to a transaction involving 229BTC worth of "Avalance Spa Powder", which is one of those synthetic drugs of ambiguous legality. That's quite a violation of trust on Coinbase's part. Their reputation is nuked. (Edit: Please note that I am 100% wrong about this. Why don't I just shut the fuck up for once?).

Amateur hour over there. I originally signed up because they were a YC backed startup. Thankfully I never got around to doing any actual transactions.

Oh my god, someone found <i>merchant pages offering stuff for sale</i>.<p>They shouldn't be indexed, but on the 1-10 scale of security vulnerabilities, this is about a 1.05.<p>OTOH finding it is not very far off what Weev got 3.5 years in federal prison for, though, under CFAA.

These are buy it now / donation pages. These are NOT checkout pages for coinbase users.

Why are the checkout pages even public? No robots.txt, a lot of private information listed and public.<p>Shameful. I know little about web development but this seems rather obvious, even to me.

If the first 6 or so SERPs are representative of Bitcoin as a whole, it appears to be a currency that exists primarily to facilitate donations to blogs and websites. No wonder YC funded Coinbase; it let them take another whack at Tipjoy!

Damn.. These are not transactions! These are public anyway on the merchant's site.<p>Just try out <a href="https://coinbase.com/docs/merchant_tools/payment_pages" rel="nofollow">https://coinbase.com/docs/merchant_tools/payment_pages</a> and press the button. It goes to the checkout page similar to these.

20 reddit.com upvotes: 0.20BTC<p><a href="https://coinbase.com/checkouts/35297a275c385a75d231fd4a6edd56ca" rel="nofollow">https://coinbase.com/checkouts/35297a275c385a75d231fd4a6edd5...</a><p>So that's currently $1.34 per upvote. Seems like a lot.

I'm quite surprised that over an hour after this was posted, these checkout pages are STILL public!<p>If I were running Coinbase I'd have put the site into some kind of 'down for maintenance' state immediately, and then put all my effort into plugging the leak.<p>Of course the Google et al indexes are a more difficult problem, but at least stop any more from leaking.<p>Edit: It has been pointed out that these are seller pages, with sellers details only, so not a data leak at all. I retract my previous statement :)

This is shamefully bad. There is no excuse for this.

The cryptocurrency company that's never heard of cryptography. Bringing you your world in plain text.

I trusted coinbase to cashout two years worth of bitcoin paid to my online t-shirt business. First they ignored me for two weeks[0], then they promised the funds would be deposited yesterday. They're still not deposited today[1].<p>[0]: <a href="http://www.reddit.com/r/Bitcoin/comments/1bdd8p/iama_bitcoinaccepting_merchant_with_serious/" rel="nofollow">http://www.reddit.com/r/Bitcoin/comments/1bdd8p/iama_bitcoin...</a><p>[1]: <a href="http://i.imgur.com/fNoXvMH.png" rel="nofollow">http://i.imgur.com/fNoXvMH.png</a> and <a href="http://i.imgur.com/brlY2Ry.png" rel="nofollow">http://i.imgur.com/brlY2Ry.png</a>

(YC S12)

Searching google for coinbase checkouts: <a href="https://encrypted.google.com/search?q=site:https://coinbase.com/checkouts/" rel="nofollow">https://encrypted.google.com/search?q=site:https://coinbase....</a><p>Yikes.

Link to close your account:<p><a href="https://coinbase.com/account/cancel" rel="nofollow">https://coinbase.com/account/cancel</a>

Can somebody explain how Google was able to index all these checkout pages? Presumably they were only sent over email.

I want to like coinbase, but 100% of the time that I try to buy bitcoins it says that it has run through its daily allotment and to try again in 24 hours.

EDIT: I wrote this before people suggested that this 'leak' is just a list of people selling stuff, and not people buying stuff. Oh well. I leave my comment here, mostly because of bath-salts-guy - selling a large quantity of stuff of dubious legality should probably be done more carefully.<p>Sorry to Coinbase people for jumping onto a pile-on before getting correct information. ---<p>Regular people are hopeless when it comes to privacy and anonymity. Just look at something simple like "Don't chose a ridiculously easy password", and then look at any leaked password list.<p>When users fail so hard at the trivial stuff (where we've had advice on best practice for years) how are they expected to succeed at tricky stuff like crypto currencies?<p>This lack of user knowledge makes any coinbase[1] failures particularly bad. It's bad because you're supposed to protect your users. It's also bad because it's a failed business opportunity - 'hand hold naive users through a complex crypto process' is an unfilled niche.<p>I was excited about Coinbase. I really wanted them to do well. But this? It's going to take some work to recover from this.

Please read past the headline. There is a lot of uneducated sensationalism criticism going on. The data leak has exposed info that is already public, and basically harmless. Given someone with enough time and effort can turn this public info into a seedy crime, like using the contact list for phishing, the average coinbase user is far removed from this so called 'data leak.'

I considered posting this, but wasn't sure how the HN community would react. Glad someone else did. Here's something scary:<p><a href="https://www.facebook.com/harley.skyberg?ref=ts&#38;fref=ts" rel="nofollow">https://www.facebook.com/harley.skyberg?ref=ts&#38;fref=ts</a><p>bought<p><a href="https://coinbase.com/checkouts/dd24f66b49e34b97d2bbe0e3a9a2eeb4" rel="nofollow">https://coinbase.com/checkouts/dd24f66b49e34b97d2bbe0e3a9a2e...</a><p>Oh dear.

These threads are full of misinformation and knee-jerk reactions to a problem so minor that it is barely worth noticing. And the title ("Coinbase User Data Leak?") is misleading - where's the zealous title editing now? The Reddit thread is even worse. This is more revealing of the HN community than it is of Coinbase, who hasn't done anything wrong. Disgusting.

these are merchant pages, not actual transaction invoices. checkout - a poor choice of name of the resource for the job it intends to do ;]

While this is bad, I do feel like anyone using a hosted wallet like Coinbase where you directly link a bank account (which I think is rare among bitcoin exchanges, etc) can't be expecting full anonymity. Coinbase is a registered company and if they have bank accounts linked then their identities are compromised anyway if the company were to get subpoenaed, I'd imagine.<p>If they want anonymity they should be personally holding their own wallet. Most exchanges only allow some sort of cash order deposit, for this reason exactly.

The irony is that bitcoins is the perfect technology for preventing these kinds of data leaks- If only some more capable developers could start opening bitcoin businesses.

My Twitter bot, @dumpmon, found a leak of these here: <a href="http://pastebin.com/raw.php?i=b34a2X3b" rel="nofollow">http://pastebin.com/raw.php?i=b34a2X3b</a>

This has been said again and again- the main thing that Coinbase needs to do right now is to get better about their communications with the public.<p>Its understandable that a fast-growing startup in a new field, doing transaction-based work, will hit some bumps along the way. But they need to keep the community in the loop better. Twitter, blog, posting to threads like this (they know HN exists!)

But...but...but it's a beta!!<p>Sorry, had to do it ;)

Haters gonna hate.

You know, when people were posting every blog rant about Haskell, at least a small bit of knowledge was being circulated. This bitcoin fad is dredging the bottom of the barrel -- dozens of upvoted comments written by people who can't tell the difference between an advertisement and a transaction confirmation.