I received 3 payment requests similar to you guys from mailinator. I talked to support and they said somehow they got our email and just can use that to send requests. Just decline the requests and no harm done. When I first logged in i was a little nervous but no big deal they spammed out coinbase like they would your email
some big name will have been a target of this, and will sue the pants off of coinbase, and they will likely win a dispute. it doesn't matter what your terms of service say in the financial payments industry, the onus is on you(the company) to safeguard customer data, including a person's legal name.
you can't just have a form where anyone can enter an email and reveal the account holders legal name. that's lunacy. what on earth were they thinking? this isn't facebook, this is finance.