Bitcoin wallet service Coinbase has publicly, and presumably accidentally, exposed information about its merchants' names, e-mail addresses, and product details on the Coinbase website. The exposed e-mail addresses have become the target of phishing attacks. Update: Coinbase says only certain Coinbase merchants had their email addresses exposed. No transaction receipts were leaked, as this story originally stated. See below for details.

Coinbase, a Y Combinator-backed startup, is a popular service for holding users' bitcoins. At the time of this writing, the leaked information was still showing up in Google searches of the Coinbase site:

The URLs of the pages label them "checkouts," and they appear to be transaction receipts. One was a 0.05 BTC ($6.85) transaction labeled as a donation. Another was a $980 transaction for "8 managed VPS hosts" from a company called cachedd. A third was a 229.99 BTC ($31,508) transaction for "AVALANCHE SPA POWDER."

In a Thursday blog post, Coinbase warned users to "beware of a phishing attack." Someone has been sending e-mails to Coinbase users claiming that they need to log in to confirm recent transactions but directing them to a website not controlled by Coinbase. Late Friday morning, the leaked information was still publicly available on the Coinbase website.

There's no evidence of a security problem with the Coinbase site. Provided users don't fall for the phishing scheme, their funds should be safe.

Update: Coinbase responds:

Your information is not going to be shown on one of these pages unless you created a "buy now"/donate button or checkout page and posted a public link to it somewhere. Order pages are designed to be public so customers can reach them, although we should have taken more care to not make them easily indexible by Google. The email in particular, although we encoded using hex encoding to make it more difficult to scrape, should not be shown on that page. We will take a look today at some ways to get it removed from the Google cache, and avoid having these pages indexed. Will post an official response on our blog shortly. Sorry for the scare! In short - no customer information is public. Only the emails of a subset of merchants who have placed their widgets on public websites.

Coinbase has also posted a Q and A on their blog.

Correction: A previous version of the story described the pages Google indexed as "transaction receipts," but Coinbase says they're actually merchants' product pages. According to Coinbase, "there wasn't any transaction data, customer data, or receipts leaked," though they say that displaying merchants' email addresses was a mistake. We've updated the story accordingly and we regret the error.

Disclosure: I own some bitcoins, including 1.7 BTC in a Coinbase account.