A significant security concern has emerged surrounding Coinbase Commerce, with experts warning that a withdrawal tool on its platform poses a severe risk to user funds. The issue centers on a page that reportedly prompts users to enter their mnemonic seed phrase—the master key to a cryptocurrency wallet—in plaintext.
The security firm SlowMist first flagged the dangerous behavior, with its founder Yu Xian (Cos) expressing disbelief on social media. "I’m really puzzled why Coinbase would have a page like this, directly asking users to input their plaintext mnemonic phrases for asset recovery," Yu wrote. "Such an insecure practice is simply unbelievable." Blockchain investigator ZachXBT also raised the alarm, noting that the page's flow could be easily copied by threat actors for sophisticated phishing attacks.
The problematic page, hosted on a Coinbase Commerce subdomain, was referenced in a now-removed Coinbase Help guide. The guide outlined a process for users to recover funds by importing their seed phrase into a compatible wallet like Coinbase Wallet or MetaMask, directing them to the withdrawal tool. This contradicts fundamental security principles, as seed phrases grant full control over self-custody wallets and should never be shared or entered online.
Experts warn the core danger extends beyond the page itself. By normalizing the behavior of entering seed phrases on websites, even on an official Coinbase domain, it creates a dangerous precedent that makes users more susceptible to social engineering scams. Attackers could replicate the interface to create convincing fake pages and steal funds.
Some context suggests the tool was part of a recovery process for older Coinbase Commerce wallets, which spread funds across multiple addresses, requiring consolidation. This need may be linked to the impending shutdown of Coinbase Commerce by the end of March 2026, as it merges into the new Coinbase Business service. However, security professionals maintain that requesting plaintext seed phrases is never a safe method, regardless of the intent.
Coinbase has yet to publicly address the issue, only stating to Cointelegraph that it is "looking into the matter." This stands in stark contrast to the company's own security guidance, which strongly advises users to never paste seed phrases into any website. The incident highlights the critical tension between user convenience and security in the growing cryptocurrency industry.
