14 DAY TRIAL // A flaw in the systems of Coinbase, an electronic wallet service for Bitcoin, exposed the details of merchants who had created a “buy now” button, a donate button, or a checkout page and posted a link to it on the Internet.
The bug made merchant information from the Company Profile section, including email addresses, to become publicly available via search engines.
While the company claims that transaction data, or customer data hasn’t been leaked, cybercriminals have already started using the exposed email addresses for phishing attacks.
The two customers whose credentials were phished out by the attackers and lost funds have been reimbursed.
“This was our fault in several ways. We should not have included the merchant email addresses on checkout pages unless our merchants were made more explicitly aware of this,” Coinbase CEO Brian Armstrong explained in a blog post.
“Also (and perhaps more importantly) we did not take care to prevent these pages from being indexed in public search engines like Google. This allowed anyone to search for public Coinbase merchant checkout pages, and to collect the email addresses of merchants off these pages in an automated way.”
The leakage issue has been addressed by removing email addresses from merchant checkout pages, robots.txt files have been updated to prevent search engines from indexing such pages, and Google has been requested to remove the cached versions of the pages.
In the meantime, Coinbase customers are advised to be on the lookout for the phishing emails, which read something like this: “ We have been fighting an intense distributed denial-of-service (DDOS) attacks we believe is intended at manipulating the price of virtual currency, which has seen volatile price swings in the past few days.”
The emails might look legitimate, but the links they carry don’t point to coinbase.com, but to a bogus site hosted on a shady domain.