Blog post is here:
https://www.coinbase.com/blog/protecting-our-customers-stand...
> We will reimburse customers who were tricked into sending funds to the attacker due to social engineering attacks. If your data was accessed, you have already received an email from [email protected]; all notifications went out at 7:20 a.m. ET on 5/15 to affected customers.
The no-reply is an interesting decision. I get how difficult it is to run a company like Coinbase (their biggest strength, centralized + customer support, is also what enables this social engineering), but feels like an odd choice.
Their "customer support" includes not expecting users to set up PGP to communicate with them. Email is not a secure method of communication by default.
It's fine to send a notification instructing them to visit the secure portal for more info, though. Hence, no-reply.
no-reply is a good practice. No business should ever encourage their customers to reply to the emails they are sending out. That's what scammers do.
To contact the company you should go to company website at the address you know (which shouldn't be given in email as well), log in and send a message through internal message system, possibly referring to the email that you recieved through a random code (those can be auto-suggested if they recently tried to contact you by email).
If you do anything else your communication knwowingly mimics communication of a scammer.
Unrequested email should always only be one way communication. Email is too untrustworthy for it to be anything more.
> No business should ever encourage their customers to reply to the emails they are sending out.
It’s fascinating that we keep creating new technology and then find out that in practice most of it cannot be trusted. Which means it cannot be used for anything serious.
IT revolution is a bit of a failure
The first "email" was sent in the 1971 and SMTP was designed in 1983. Back then the implementers didn't dream of the adoption levels of these protocols that we see today. Your same complaint could be levied against the best practices for phone calls in order to avoid scams, and that's also a slightly older technology.
Some of these technologies that have been mass adopted because they're easily accessible also have glaring security holes and ways to be exploited built into them. It's a tale as old as time, and I can hardly blame businesses in this specific case (using no-reply addresses.)
> No passwords, private keys, or funds were exposed and Coinbase Prime accounts are untouched.
I'm curious why no Coinbase Prime accounts were part of the leak (assuming that's what they mean). Is there some sort of additional layer of data protection behind the Coinbase Prime paywall? Or perhaps those accounts were intentionally avoided as they would presumably belong to more savvy users.
Coinbase Prime is its own exchange with its own support (actual humans in the USA that are available to chat to). It's for "institutional investors" so unavailable to most customers without the proper credentials/paperwork. They don't share the same outsourced "support" as the regular exchange, which appears to be the attack vector here.