- Coinbase published a migration page asking users to enter wallet seed phrases.
- Security experts warn the approach could enable phishing and social engineering attacks.
- Critics say exposing seed phrases online creates serious risks for self-custodial wallets.
Coinbase is facing criticism from the security community after publishing an official page that asks users to enter their seed phrases directly into a web form. Researchers are calling it dangerous, unnecessary, and a ready-made template for scammers.
What Is Happening
The page was created to help merchants migrate funds as Coinbase merges its Commerce product with Coinbase Business before a March 31 deadline. Merchants who received Bitcoin and other crypto payments through Commerce are being directed to a withdrawal tool at a Coinbase subdomain where they are asked to input their 12-word seed phrase to consolidate and move their funds.
For users who backed up their seed phrase to Google Drive the process involves revealing it through their Commerce dashboard settings and entering it into the withdrawal tool. Coinbase was clear that if users lost their seed phrase, it cannot recover funds.
Why Security Researchers Are Alarmed
On-chain investigator ZachXBT said, “So basically Coinbase has an official page live threat actors can use to target Coinbase users via seed phrase social engineering if they wanted?”
One user commented that they were puzzled as to why Coinbase would have a page asking users to enter their plaintext mnemonic phrases for asset recovery, calling the practice highly insecure and saying they even suspected the subdomain might have been compromised.
Related: SBI ARUHI Rolls Out XRP Rewards Program for Investors
The problem here is that a seed phrase is the single most sensitive piece of information a crypto user possesses. Whoever has it has complete and irreversible access to the wallet. An official-looking Coinbase page that normalises entering seed phrases into a web form gives criminals a perfect blueprint for phishing attacks.
Researchers also said the page was published without basic operational security measures in place, suggesting it was deployed without a proper security review. All an attacker needs to do is clone the page, send emails directing users to a nearly identical URL, and collect seed phrases at scale.
What Users Should Do
- Only use the withdrawal tool via a URL typed manually, never through an email link
- Never enter your seed phrase on any page reached through a link
- Contact [email protected] directly if you have any concerns
- Verify every URL independently before entering sensitive information
Coinbase has not publicly responded to the criticism at time of publication.
Related: Bhutan Dumps $72M in Bitcoin Again: Has It Stopped Mining?
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
Source: https://coinedition.com/coinbase-draws-security-criticism-after-asking-users-to-enter-seed-phrases/
