Coinbase, a startup that helps merchants accept the digital currency Bitcoin, apologized Friday for a lapse that resulted in customers' email addresses being publicly displayed.
The San Francisco company said that an unspecified number of users who had sold goods and services via its website received emails from cyberthieves trying to trick them into surrendering usernames and passwords.
The episode stemmed from a failure by Coinbase to block the email addresses of merchants from Web pages that get vacuumed by Google and other search engines, according to the company, which said it had reimbursed two victims of the phishing fraud and would remain on the lookout for others.
"We should not have included the merchant email addresses on checkout pages unless our merchants were made more explicitly aware of this," Brian Armstrong, Coinbase's chief executive, wrote in a blog post. "Also (and perhaps more importantly) we did not take care to prevent these pages from being indexed in public search engines like Google."
"This allowed anyone to search for public Coinbase merchant checkout pages, and to collect the email addresses of merchants off these pages in an automated way," added Armstrong. "In particular, we believe this was the source of the emails from the phishing attack yesterday."
Hundreds of receipts were visible the morning of April 5, linked to from the news websites Reddit and Y Combinator and available directly via Google. Besides email addresses, the receipts revealed details of purchases and the numerical Bitcoin addresses of sellers' accounts.
Among the receipts were bills for designer bath salts, payments for blog rentals and a contribution to the 10th Amendment Foundation in Los Angeles.
"It's deceiving for people who think they would have had any kind of transactional privacy," Jon Matonis, a privacy expert and evangelist for the digital currency who sits on the board of the Bitcoin Foundation, said in an interview.
The incident, which comes amid a march by merchants and consumers toward mobile payments and a boom in circulation for bitcoins, follows a pattern of other security lapses that have plagued mobile payments firms of all sizes.
Instawallet, a Bitcoin wallet service, suspended operations recently after someone broke into its database. Google found itself in the spotlight last year after security experts showed they could extract PIN codes form the Google Wallet-equipped phones. PayPal has credited hackers with helping the company to strengthen systems for monitoring transactions.
In addition to merchant processing Coinbase also lets users buy, sell and store bitcoins and make purchases via smartphone.
Coinbase says it removed email addresses from the public directory of merchants, updated its systems to prevent search engines from gathering the information in the future and asked Google to take down versions of the pages containing email addresses that remained stuck in computerized caches.
A search of the receipts on Friday afternoon via Google revealed that the email addresses had been removed from many of them.
Still, the spill of information upended the expectation of anonymity that underlines Bitcoin's allure for some people who choose to transact with it.
"I had no idea my info would be public," wrote a commenter on Reddit.
Other commenters counseled context. "Redditors are misreading these seller pages as completed transactions," wrote one. "Still, not the best thing to have indexed on Google."