[nbody]

I didn't see any suggestion from the author, did I miss it?

[krallja]

Don't allow users to determine whether an email address is registered in your system. (Even if they click "forgot password" or "send money request").

More importantly, don't ever give the user the full name of someone whose email address they pulled out of thin air!

[nbody]

Seems viable, and if you had previous "relationship"/transaction with this user you can display name etc.

[chandraonline]

- Rate limit API requests (flag / suspend if there are too many request for money requests from the same user) - Don't disclose which email addresses is registered/not registered with coinbase (right now they even go a bit further and actually disclose first and last names in the response).