Security researchers have flagged a Coinbase-associated Commerce page that appears to request users input their wallet recovery phrases, with experts warning the practice could lead to desensitization towards common phishing tactics.
The page, which has been circulating widely on social media, was first flagged by Yu Xian (widely known as Cos), founder of blockchain security platform SlowMist.
"I am very confused why Coinbase has such a page that directly asks users to enter their mnemonic phrases in plaintext for asset recovery," Yu stated in an X post on Wednesday, adding, "This insecure practice is unbelievable."
Coinbase has not yet responded publicly to the issue. The company told Cointelegraph it is investigating the matter but provided no further details. Cointelegraph also attempted to reach Yu Xian for comment but had not received a response by press time.
Coinbase refers to the subdomain as a "withdrawal tool" for commerce
The guide, which appears to have since been taken down, reportedly outlined options for users to recover funds by importing their seed phrase into a compatible wallet, such as Coinbase Wallet or MetaMask. It also directed users to a withdrawal tool under the same subdomain, which also raised concerns.
Coinbase users are warned against pasting seed phrases on any website
It remains unclear whether the page is the result of a Coinbase technical glitch or another issue.
