TechFlow News: On March 19, according to Cointelegraph, a subdomain page of Coinbase Commerce displayed instructions prompting users to enter their wallet recovery phrases—a move that drew attention from security researchers. SlowMist’s Yu Xian stated he could not understand why Coinbase would set up such a page, which directly asks users to input their recovery phrases in plain text for asset recovery, calling the practice a serious security risk.
On-chain analyst ZachXBT noted that this subdomain page had previously been referenced in a Coinbase Commerce product help document, which advised users to restore funds by importing their recovery phrases into compatible wallets such as Coinbase Wallet or MetaMask, and included a link to the subdomain’s withdrawal tool. That help document has since been removed. ZachXBT also warned that, if exploited by malicious actors, this page could enable recovery-phrase-based social engineering attacks against Coinbase users.
