Update (March 20, 6:30 am UTC): This article was updated to include a statement from Coinbase.
Security researchers raised alarms after a Coinbase-associated Commerce page appeared to ask users to enter wallet recovery (seed) phrases, a practice experts warn could normalize behavior exploited by phishing attacks.
The page gained wide attention on social media after Yu Xian (Cos), founder of blockchain security firm SlowMist, posted about it. “I’m really puzzled why Coinbase would have a page like this, directly asking users to input their plaintext mnemonic phrases for asset recovery,” Yu wrote, adding that the practice was “simply unbelievable.”
Recovery phrases grant full control of self-custody wallets and should never be shared with third parties, support agents, or untrusted websites. They are normally used only in trusted wallet recovery or import processes.
Coinbase has told Cointelegraph the tool came from its legacy Commerce product, which has been in sunset mode since March 2025 and is scheduled for discontinuation on March 31, 2026. A Coinbase spokesperson said the company removed the tool from its site and is exploring an updated solution for the small number of Commerce merchants still using it, stressing that customer security and asset protection are top priorities and that all funds remain secure. Coinbase also noted eligible merchant accounts are being migrated to Coinbase Business.
Blockchain investigator ZachXBT said the now-removed guide described an option for merchants to recover funds by importing their seed phrase into a compatible wallet such as Coinbase Wallet or MetaMask, and pointed users to a withdrawal tool hosted on the same subdomain that drew scrutiny. Coinbase’s help documentation also emphasized that Commerce wallets are self-custodial, meaning Coinbase does not have access to users’ seed phrases and cannot recover funds if they are lost.
Separately, Coinbase’s guidance elsewhere strongly advises users never to paste seed phrases into any website. The company has also warned that scammers impersonating customer support by phone or online are attempting to steal login details and verification codes, reminding users it will never proactively contact them and directing users to its official channels on X and Reddit.
Cointelegraph is committed to independent, transparent journalism. This article follows Cointelegraph’s Editorial Policy and aims to provide accurate, timely information; readers are encouraged to verify details independently. Read the Editorial Policy at https://cointelegraph.com/editorial-policy