Coinbase's 'Seed Phrase Speed Dating' Page Has Security Nerds Facepalming

A subdomain for Coinbase Commerce recently hosted a withdrawal page that invited users to casually input their seed phrases, leaving security experts to question if they'd discovered a masterclass in how to get rekt.

The founder of SlowMist, Yu Xian (aka Cos), took to X to voice his bewilderment, posting: "I'm really puzzled why Coinbase would have a page like this, directly asking users to input their plaintext mnemonic phrases for asset recovery. Such an insecure practice is simply unbelievable." It's the crypto equivalent of a bank asking for your front door key and a map to your safe.

Coinbase has opted for the classic "we're looking into it" maneuver, providing no public statement beyond confirming to Cointelegraph that the matter was under investigation. The digital asset equivalent of "please hold."

Blockchain sleuth ZachXBT pointed out that this questionable page was linked from a since-deleted Coinbase Help article for its Commerce product. The guide allegedly detailed a fund recovery process that involved importing a seed phrase into wallets like Coinbase Wallet or MetaMask, funneling users straight to this eyebrow-raising withdrawal tool. Nothing says "self-custody" like a web form, right?

The documentation did, in fairness, stress that Commerce wallets are self-custodial, meaning Coinbase has no access to seed phrases and can't play hero with lost funds. It's a bold strategy to teach self-reliance by providing the digital matches and gasoline.

ZachXBT dryly observed on X: "So basically Coinbase has an official page live threat actors can use to target Coinbase users via seed phrase social engineering if they wanted?" Providing the blueprint for your own heist is certainly a novel approach to customer service.

The genesis of the page is still a mystery—whether it was a glorious bug, a leftover test, or just a very bad idea. In a delicious irony, a separate Coinbase guide firmly instructs users to never, ever paste their seed phrase into any website. The left hand clearly isn't talking to the right hand, or even in the same cryptographic galaxy.

This spectacle arrives hot on the heels of a Coinbase warning about scammers impersonating support to pilfer login details and 2FA codes. The company insists it will never DM you first, directing users to its official X and Reddit channels. Because in crypto, the only thing more constant than volatility is the parade of people trying to steal your bags.