Data On Merchant Pages

Some posts circulated earlier today about a possible data breach at Coinbase. I wanted to provide some more information about what happened and how we’re responding.

Update: The Washington Post and Ars Technica, who incorrectly reported that “transaction data” had been leaked, have now posted corrections to their articles. We appreciate them correcting this error.

What data was shown publicly?

Merchants who created a “buy now” button, donate button, or payment page on Coinbase, and posted a public link to it, had this page publicly visible on the internet. The page contained merchant data that was entered in the Company Profile section.

But it also contained the merchant’s email address. Product pages are meant to have public information about the merchant, but including the merchant’s email address had unintended consequences in this case, and should not have happened. (more on this below)

Was my email address leaked?

Not unless you created a “buy now”, donate, or hosted payment page using our “Merchant Tools” and posted a public link to it on the internet.

Was any other data leaked?

No. There wasn’t any transaction data, customer data, or anything else leaked.

How did this happen?

This was our fault in several ways. We should not have included the merchant email addresses on payment pages unless our merchants were made more explicitly aware of this. Also (and perhaps more importantly) we did not take care to prevent these pages from being indexed in public search engines like Google. This allowed anyone to search for public Coinbase merchant payment pages, and to collect the email addresses of merchants off these pages in an automated way.

In particular, we believe this was the source of the emails from the phishing attack yesterday.

What are you going to do to make it right?

First, we have corrected the source of the problem by:

• removing email addresses from merchant payment pages

• updating our robots.txt file to prevent search engines from indexing these pages in the future

• requesting that Google remove the cached version of these pages through their webmaster tools

Second, to correct the damage done, we have reimbursed the affected users from the phishing attack for any funds lost. It appears only two users were affected by this so far, but we will monitor it over the coming days to ensure there were not any others.

I’m personally very sorry for any trouble/anxiety this may have caused our customers, and I want you to know that we are working hard to make it right. We’ll continue to update this page as more information becomes available. As always you can reach us with comments or questions on our support forum.

Brian Armstrong CEO, Coinbase