[MichaelGG]

The author does spend a LOT of effort writing stuff (and showing a silly gif) to basically say "requests aren't rate limited, can disclose existence of user and full name if email is known".

Coinbase responded to him on the 25th[1]:

"We've spent some time considering the implications of this behavior and have built this intentionally. The benefits to obscuring this information is minimal and, in our opinion, not worth the additional friction alternative flows would introduce"

Anyone can signup on Coinbase, right? So even if they did add some rate limiting, unless it was severe (or required a verified account), attackers would just sign up for more accounts.

1: http://shubh.am/bugs/coinbase.htm

Edit: I also like this part of their response: "Furthermore, it's not necessary to use "Burp Suite Intruder" in the manner demonstrated here. The functionality is exposed more directly in an intentional fashion over our API"

https://hackerone.com/reports/5200