Coinbase takes extensive security measures to ensure your account and cryptocurrency investment remains as safe as possible, but ultimately, security is a shared responsibility. Here are some actionable steps that you can take to help safeguard your investment and keep your account safe from unauthorized access.
Use a strong password
Use a password that is long, random, and unique to your Coinbase account. Never use the same password twice across your online accounts! To make it easy on you, here is the password reset link so you can strengthen your password now.
If you don't want to use a password manager, use a passphrase (a sentence or group of four or more words) for your account. However, be careful and do not choose a phrase from a book or a movie as hackers have access to sophisticated databases of such quotes.
For more password related information or to see how strong your current password is, see our Password FAQ.
Important: Never disclose your password to anyone. Coinbase employees will NEVER ask for your password.
Use the strongest form of 2-step verification
We strongly recommend using a security key to protect all of your online accounts including Coinbase, Gmail, Facebook, Dropbox, Instagram, Twitter, and YouTube. You can read more about why we consider security keys as the gold standard of account security here. If you do not currently own a security key, Yubico is a popular choice.
If you’re not ready to invest in a security key, or just don’t want to use one, the next best option is Time-based One Time Password (TOTP) with a mobile authenticator app such as Duo or Google Authenticator. By using TOTP, you are drastically reducing your chances of your account being compromised.
Security keys and TOTP can both be enabled in your account’s security settings. If you need help enabling these features, please review this support article outlining the necessary steps. To add an extra layer of security to your account, you should also consider enabling 2-step verification for all sends of cryptocurrency. This feature can also be enabled in your account’s security settings.
If you don’t own a smartphone and are restricted to receiving your 2-step verification codes via a text message, you should follow the steps in the section “Lock Down Your Mobile Account” to reduce the likelihood that you will suffer a SIM-swap or phone port attack.
If you are using the Coinbase mobile app to access your Coinbase account, we highly recommend enabling a security passcode in the app’s security settings. You can enable the passcode for both accessing the app and sending funds with the app.
Secure your email
Your email is one of the most important connections between you and your Coinbase account. We use your email to confirm new devices, send you important alerts about your account, and to communicate with you if you need support. Please make sure it is secure!
For starters, visit https://haveibeenpwned.com/ to see whether or not your email address has ever been compromised in a third-party data breach. If so, we recommend changing any passwords associated with that email address. You should also enable 2-step verification on your personal email account as well.
As an additional security precaution, you should conduct a periodic security review of your email account and settings as well:
Check your email account for unusual rules, filters, or forwarding addresses.
Check your email account settings for authorized devices you do not recognize.
Check for unauthorized recovery emails or phone numbers added to the account.
For those who feel like they may be at risk of targeted account takeover attempts, check out Google’s Advanced Protection Program.
Lock down your mobile account
A SIM-swap or phone port attack occurs when an attacker has their target’s phone number transferred to a mobile device under the attacker’s control. Fraudsters are able to do this through a variety of means, including identity theft and socially engineering mobile carrier customer support representatives. This type of attack is a threat to all accounts using SMS-based 2-step verification and any account that can be recovered using phone-based authentication.
To help protect yourself against this type of attack, please complete the following:
Call your mobile service provider and tell them that you’d like to place a port freeze and SIM lock on your account.
Ask them to create an account note requiring you to be in-store with a valid photo ID in order to port or transfer your phone number to a new device.
Ask them to add or enable a PIN number to be used when making changes to your account.
Inquire about other security measures you can enable on your mobile account to prevent unauthorized changes.
Even if you don't use SMS-based 2-step verification, you should still protect your mobile device by enabling a screen lock. This will help prevent a thief from accessing your Coinbase account and email if your phone is ever stolen.
Keep your devices clean and updated
While there are many types of malware that can infect a device, a few in particular can be especially worrisome. Keyloggers, remote access trojans (RATs), and cookie-stealing malware can all be used to steal your sign-in credentials and gain unauthorized access to your accounts.
To protect your devices from these types of threats, consider the following:
Utilize anti-virus protection and scan your device regularly. You should also be updating your virus signatures as often as possible to stay ahead of new threats.
Keep your device updated with all of the most recent operating system and security updates.
Keep your web browser and all other software updated with their latest versions.
Uninstall all questionable or unnecessary pieces of software from your device, especially tools that allow remote access.
Install an ad blocker like uBlock Origin in your browser to help protect you from malicious ads.
Practice safe web browsing habits and never click on suspicious links or download suspicious programs.
Do not install and use browser plug-ins or add-ons developed by unknown third-parties.
Enable a screen lock and password to gain access to your device.
Protect your cloud storage accounts
Many people who use smartphones often make use of cloud storage accounts such as Google Drive or iCloud to create backups of the data saved on their mobile devices. This data often includes messages, contacts, email, apps, photos, and more. If an attacker gains access to your cloud storage account and restores the device backup onto a device in their control, they will have a vast amount of information at their disposal to help them compromise your various online accounts. Do not underestimate the power of an attacker with access to this information!
Luckily, you can easily secure and protect your cloud storage accounts by following a few basic guidelines we’ve already covered:
Create a strong password! Preferably using a password manager.
Secure it with the strongest form of 2-step verification available.
Protect your email account.
Or if you want to completely avoid the risk of an attacker being able to back up your mobile device data, you can disable backups all together in your cloud’s account settings.
Bookmark https://www.coinbase.com/ in your browser and only use this link to access Coinbase. If you ever receive any text messages or emails about your Coinbase account, always use the bookmark to navigate to your Coinbase account.
Stay alert for phishing
If you are not sure what phishing is, please take a couple of minutes to read our article about phishing here.
If you receive a message appearing to have been sent by Coinbase, and you believe it is suspicious, you can always forward it to email@example.com to verify its authenticity. Alternatively, you can review this support article to help you decide whether or not an email is legitimate.
Check your recent activity
In your Coinbase account, visit the Activity page where you can view all of your active sessions including authorized mobile applications, web sessions, and confirmed devices.
If at any time you notice an unauthorized application, session, or device, you can revoke access by clicking the blue X to the right. If you need to revoke an unauthorized login to your account that you don't recognize, you should change your Coinbase and email passwords immediately. You can also open a customer support ticket explaining the issue so our security team can review your account and help you secure it.
Utilize the Address Book and Allowlisting Feature
Allowlisting is an Address Book feature that allows users to add and store any number of crypto addresses, making it easier and safer to send crypto to those crypto addresses you know and trust. Users can:
Add a crypto address for any of the supported cryptocurrencies
Assign a nickname to the address
Easily search for that address by its nickname or its first few characters when withdrawing crypto and the Address Book will autocomplete the process
Save new addresses to the Address Book after withdrawing crypto to an unknown address
Allowlisting is a security feature in the Address Book that allows crypto withdrawals to only go to addresses (external or Coinbase) already designated in your Address Book. Requiring 2-step verification to enable/disable the feature, the feature allows users to more safely withdraw to verified addresses. Users can:
Enable or disable this feature within the Address Book
Continue to add new addresses to the Address Book
Withdraw crypto only to addresses saved in the Address Book
Note: Upon enabling the feature, you have 8 hours to add new addresses and disable the feature immediately (without the 48-hour security hold).
Utilize the Coinbase Vault
If you are not an active cryptocurrency trader and plan to store your investment in your Coinbase account long term, we strongly encourage you to make use of a Vault. Vaults require multi-email approval to start a withdrawal, and the withdrawal itself has a 48-hour time delay, during which you can cancel the withdrawal at any time if you change your mind or if the withdrawal was initiated by an unauthorized party. Setting up a Vault is simple and easy, you can find more information about the process here.
Practice due diligence
Always practice due diligence when installing software or applications on the device that you use to access your Coinbase account. Additionally, you should do your research when allowing any third-party applications to access your account. Avoid installing software from unknown or otherwise shady sources. This includes “free” or cracked versions of commercial software. Browser plugins can also be risky to install, make sure you always install browser plugins from the official browser plugin repository for your browser.
If you allow any third-party applications access to your Coinbase account, you can always manage or revoke its access on your Activity page.
On another note, it is common practice for scammers to impersonate Coinbase and Coinbase support on social media. Before engaging with anyone claiming to be Coinbase on social media, please check to see if it is one of our official accounts. If not, please send the link to the impersonation account to firstname.lastname@example.org immediately.
Contact Customer Support
If at any time you have an account security concern or question, please do not hesitate to contact Coinbase Support. Fake customer support numbers and websites are a constant threat—please be very cautious with any information you find via forums, social media, and Google Ads.
As a rule of thumb, remember that Coinbase staff will never:
Ask for your password, 2-step verification codes, or email access
Ask you to install remote sign-in or remote support software on your computer
Ask you to send money for resolving issues with your account
Call you directly to handle account support or troubleshooting issues
If anyone claiming to be associated with Coinbase Support requests this information or calls you directly, please cease all communication and immediately contact us.
We hope that this information helps you take your account security to the next level. If you have an appetite for more security related content, check out some of the latest blog posts published by members of our security team here: https://blog.coinbase.com/tagged/security.