←back to thread

I have recordings proving Coinbase knew about breach months before disclosure

(jonathanclark.com)
685 points jclarkcom | 8 comments | 16 Nov 25 20:18 UTC | HN request time: 0.001s | source | bottom
Show context
chaps ◴[16 Nov 25 20:59 UTC] No.45948347[source]
Once did some programming/networking work for a company that did the networking of a office sharing building that Coinbase was running out of. Early in my work there I noticed that the company had its admin passwords written on a whiteboard -- visible from the hallway because they had glass for walls. So I sent them an email to ask that they remove it (I billed them for it).

Their fix was to put a piece of paper over the passwords.

What a time.

replies(4): >>45948409 #>>45948413 #>>45950978 #>>45970370 #
1. bhawks ◴[17 Nov 25 05:08 UTC] No.45950978[source]
That is a great ancedote.

Not saying it is untrue, but it is definitely true that Coinbase has never lost customer funds while operating in an environment with 0 safety nets and being one of the most lucrative targets.

This leak over customer data suggests that they should treat that with as much obsession as they do with their private keys.

replies(2): >>45951247 #>>45954021 #
2. arcticbull ◴[17 Nov 25 06:21 UTC] No.45951247[source]
That's not actually true, back in the day Coinbase used Bitfinex. They were using them when Bitfinex got all that BTC stolen. Technically everyone, including Coinbase, lost assets in that hack. They were large and scary enough at the time to force Bitfinex to keep them whole instead of applying the 36% haircut, but I'd argue that amounts to recovery rather than failure to lose in the first place. [1, 2]

[1] https://www.kalzumeus.com/2019/10/28/tether-and-bitfinex

[2] https://x.com/nathanielpopper/status/933130228175552513

replies(1): >>45951757 #
3. bhawks ◴[17 Nov 25 08:19 UTC] No.45951757[source]
That's a pretty big stretch of definitions. Whatever operations Coinbase had with Bitfinex were either to support market making activity or as a service for Coinbase's institutional customers to directly access bitfinex via their platform.

As I said, they have never lost customer funds in their custody.

replies(1): >>45951875 #
4. arcticbull ◴[17 Nov 25 08:42 UTC] No.45951875{3}[source]
> Whatever operations Coinbase had with Bitfinex were either to support market making activity or as a service for Coinbase's institutional customers to directly access bitfinex via their platform.

How do you know?

replies(1): >>45954620 #
5. chaps ◴[17 Nov 25 14:45 UTC] No.45954021[source]
Your post reads like something a lawyer would write to convey something that while (maybe) technically true, misses the point by a hundred miles.
replies(1): >>45954693 #
6. bhawks ◴[17 Nov 25 15:47 UTC] No.45954620{4}[source]
Coinbase didn't halt trading or withdrawals during the Bitfinex hack.

Somehow I think Nathaniel Popper would have been able to put that fact directly in his NYT article instead of a throw away tweet if there was a material impact. Heck he wasted a paragraph quoting one of Coinbase's board of directors on the risks of unregulated exchanges like bitfinex versus Coinbase.

7. bhawks ◴[17 Nov 25 15:54 UTC] No.45954693[source]
Yeah you're right, Coinbase is definitely insecure as evidenced by this.

The fact that lax security has never caused them to loose billions of dollars of customer funds is just luck and paper covering passwords on a whiteboard.

replies(1): >>45954896 #
8. chaps ◴[17 Nov 25 16:11 UTC] No.45954896{3}[source]
Yeah. Lots of stuff exposed stuff out there can stay exposed for quite a long time without being targeted or noticed. I've found quite a bunch and usually all it takes is... looking. Just one of those weird things about the modern world.