Security researchers raised concerns about a Coinbase-associated Commerce page that prompted users to enter wallet recovery phrases. The page was flagged by Yu Xian (Cos), founder of SlowMist blockchain security platform. He said: « I’m really puzzled why Coinbase would have a page like this, directly asking users to input their plaintext mnemonic phrases for asset recovery. »
Seed phrases give full control over self-custody wallets and should NEVER be shared with anyone. The page was referenced in a Coinbase Help guide related to its Commerce product, but the guide has now been removed. ZachXBT blockchain sleuth also flagged the issue.
Coinbase warned that scammers are posing as customer support to steal login information. Coinbase advises NEVER to paste seed phrases into any website.
Security implications
The appearance of a page that explicitly requests seed phrases is a breach of best practice and an invitation for phishing or credential-stealing schemes. Seed phrases are the master keys to self-custody wallets and should never be revealed anywhere except in the intended wallets themselves.
How the scam works
Attackers could craft a message purporting to be support from Coinbase Commerce and request seed phrases to recover assets. The page could look like an official Coinbase page, giving users a false sense of legitimacy. Attackers would then use the seed phrases to import wallets and drain funds.
How to protect yourself
– Never share your seed phrase with anyone
– Don’t enter seed phrases on websites
– Use hardware wallets for extra security
– Verify the source before clicking any links
– Coinbase will never ask for your seed phrase
Conclusion
Seed phrases should never be exposed. Documentation governance and scam resilience are critical for exchanges and wallet services.
