Comments:"Data On Merchant Pages - The Coinbase Blog"
URL:http://blog.coinbase.com/post/47198421272/data-on-merchant-pages#
Some posts circulated earlier today about a possible data breach at Coinbase. I wanted to provide some more information about what happened and how we’re responding.
What data was shown publicly?
Merchants who created a “buy now” button, donate button, or checkout page on Coinbase, and posted a public link to it, had this page publicly visible on the internet. The page contained merchant data that was entered in the Company Profile section.
But it also contained the merchant’s email address. Order pages are meant to have public information about the merchant, but including the merchant’s email address had unintended consequences in this case, and should not have happened. (more on this below)
Was my email address leaked?
Not unless you created a “buy now”, donate, or hosted checkout page using our “Merchant Tools” and posted a public link to it on the internet.
Was any other data leaked?
No. There wasn’t any transaction data, customer data, or anything else leaked.
How did this happen?
This was our fault in several ways. We should not have included the merchant email addresses on checkout pages unless our merchants were made more explicitly aware of this. Also (and perhaps more importantly) we did not take care to prevent these pages from being indexed in public search engines like Google. This allowed anyone to search for public Coinbase merchant checkout pages, and to collect the email addresses of merchants off these pages in an automated way.
In particular, we believe this was the source of the emails from the phishing attack yesterday.
What are you going to do to make it right?
Firstly, we have corrected the source of the problem by:
- removing email addresses from merchant checkout pages
- updating our robots.txt file to prevent search engines from indexing these pages in the future
- requesting that Google remove the cached version of these pages through their webmaster tools
Secondly, to correct the damage done, we have reimbursed the affected users from the phishing attack for any funds lost. It appears only two users were affected by this so far, but we will monitor it over the coming days to ensure there were not any others.
I’m personally very sorry for any trouble/anxiety this may have caused our customers, and I want you to know that we are working hard to make it right. We’ll continue to update this page as more information becomes available. As always you can reach us with comments or questions on our support forum.
Brian Armstrong
CEO, Coinbase