(Arstechnica) -Bitcoin wallet service Coinbase has publicly, and presumably accidentally, exposed information about its users’ names, e-mail addresses, and details of their transactions on the Coinbase website. The exposed e-mail addresses have become the target of phishing attacks.
Coinbase, a Y Combinator-backed startup, is a popular service for holding users’ bitcoins. At the time of this writing, the leaked information was still showing up in Google searches of the Coinbase site:
The URLs of the pages label them “checkouts,” and they appear to be transaction receipts. One was a 0.05 BTC ($6.85) transaction labeled as a donation. Another was a $980 transaction for “8 managed VPS hosts” from a company called cachedd. A third was a 229.99 BTC ($31,508) trasnsaction for “AVALANCHE SPA POWDER.”
In a Thursday blog post, Coinbase warned users to “beware of a phishing attack.” Someone has been sending e-mails to Coinbase users claiming that they need to log in to confirm recent transactions but directing them to a website not controlled by Coinbase. Late Friday morning, the leaked information was still publicly available on the Coinbase website.
There’s no evidence of a security problem with the Coinbase site. Provided users don’t fall for the phishing scheme, their funds should be safe. But publicly exposing users’ contact information and transaction details is a pretty big screwup.
We’ve emailed Coinbase seeking comment and will update if they respond.