According to Armstrong, merchants who created a “buy now” button, donate button or hosted payment page using Coinbase’s Merchant Tools and posted a public link to it online had the page publicly visible on the Internet.
The page contained the company name, Web site, phone number, mailing address — and e-mail address. “Product pages are meant to have public information about the merchant, but including the merchant’s email address had unintended consequences in this case, and should not have happened,” Armstrong wrote.
Because those pages were indexed in search engines, Armstrong explained, anyone could search for public Coinbase merchant payment payment pages in order to collect their e-mail addresses. And Armstrong says that was likely the source of the e-mails used in a recent phishing attack, which claimed to come from Coinbase and asked for merchants to enter their e-mail addresses and passwords on a phishing site.
Armstrong says the company has removed e-mail addresses from all merchant payment pages, updated its robots.txt file to prevent the pages from being indexed by search engines in the future, requested that Google remove the cached versions of these pages, and reimbursed phishing victims for any funds lost.
“It appears only two users were affected by this so far, but we will monitor it over the coming days to ensure there were not any others,” Armstrong wrote.