A anonymous user today posted a partial list of Coinbase user names and email ids. The paste which is available here, starts with the phrase “Here is a partial list of Coinbase user emails and their full names. Full list much bigger.” It further adds that, “Coinbase provides your full transaction history to the FBI, FinCEN and IRS every day. They are under a gag order.” Simultaneously a Blogger, Shubham Shah posted a complete detailed Full Disclosure report of a flaw in the Bitcoin wallet service Coinbase that can be leveraged by cybercriminals to obtain information that can be used in targeted phishing campaigns. You can read the Full Disclosure Report here.
The author of this story too received a similar phishing mail on 10th March, 2014. The said mail, image of which is reproduced below, comes from a valid email id @coinbase.com however the link contained in the text was a link to the phishing website which asks for Coinbase credentials. Gmail rightfully identified it as spam and obviously has been blocking such kind of messages for some time now.
“I often come across security issues that have been introduced “by design” and in many cases, developers of web applications refuse to fix these design flaws. Phishers can use this flaw for serious harm. I believe it is a security issue on Coinbase, which will merely assist mass, targeted phishing.” Shubham said on his blog. Shubham himself tried the technique and found it to be very successful.
Shubham then contacted Coinbase about this very serious issue, Coinbase gave Shubham a curt reply.