You should always use a new address every time you receive bitcoins.
Not sure I agree, and for sure know such a practice can add to paperwork in some instances. Example: lets say a website creates a "donation" address (public of course). If 5000 visitors decide to donate to that address OR to 5000 unique address generated by the site, what is the difference? The same coin count is received. There is no security risk since the private keys are not on the site or on the server presenting the public receiving address. The only issue I see is if the site needs to keep records of the individuals sending coins. Therefore it would come down to a business decision in that regard, but not really a security decision. The VPN providers I use are paid via BTC and they generate specific addresses for me to apply my payments when I renew. I understand that because my payments have to be registered against my account, especially since they don't have my name or raw IP to source. I feel the rotation of public addresses is about business conduct and not security. Please feel free to differ. LOL!
In this case.. well alright..
but generally you should use a new address for every transaction.
Multiple situations have been found where more than 1 digital signature can be used to calc the priv key.
The known situations have been fixed.. but there might still be unknown where this is possible..
So its definetly a matter of security.
This can be confusing so I will try to clear it up a bit.
Let's say, against all our advice, you use only one address.
Now you receive a bunch of donations. Everyone can see how much you have received. This is a privacy issue, not a security issue.
Now you send all your bitcoins somewhere. To do this you have to sign a transaction with your private key. Best advice and best case is you never use this address again.
Going against this sage advice you now get a bunch more donations to your one and only Bitcoin address and, of course, because you are using the same address everyone can see how much you got in the first round of donations and everything you got in the second round of donation. Again this is a privacy issue, not a security issue.
Now you send all these new bitcoins out to use them. To do this you have to sign a second transaction with the same private key to move the Bitcoins. Notice this is now the second signature you have done to move Bitcoins from this one address. So here is the security issue. It turns out in the way elliptical curve signature algorithms works very poorly designed wallets can totally screw this up and anyone seeing both signatures can directly calculate what your PRIVATE key value is. This only applies to a totally faulty wallet that totally screws up the random number needed by the signature algorithm and uses the same value twice. Again this only applies to shit for brains wallets and only if you sign multiple transactions FROM the same bitcoin address. This is a security issue but only if you have a horrible wallet with horrible software using horrible random numbers from a horrible random number generator.