Warning: Blockchain.com 2FA Disabled Without Permission + Reuse of 2FA Secret —

[Quantum_Resolve7987V]

Hello everyone,

I want to share a concerning experience I had with Blockchain.com regarding two-factor authentication (2FA) on my wallets, and I’d really appreciate input from anyone who understands these issues—especially @Loyce, who I’ve heard is an expert on wallet security and blockchain matters.


What happened:

• I have two Blockchain.com wallets linked to the same email address.  
• Without my consent, 2FA was disabled on both wallets.  
• The emails notifying me about the removals look different from the ones sent when I disable 2FA myself:

Unauthorized removal email:

Code:

Subject: Two Factor Authentication Disabled  
A request to remove two factor authentication from blockchain.info account identifier XXX was approved.  
Two factor authentication is now disabled.

Self-disabled 2FA email:

Code:

Subject: Your 2FA method was disabled  
We noticed your 2FA method was disabled. Confirm the details below.  
If this was you, you can ignore this email.  
If this wasn’t you, contact support.

Wallet XXX

• When I re-enabled 2FA after the unauthorized removal, Blockchain.com reused the exact same 2FA secret key that was previously active, which is a serious security concern.  
• Only when I disabled 2FA myself again and re-enabled it did the system generate a new secret key.  
• The suspicious activity originated from an IP address in Cambodia (103.9.188.71), which I do not recognize.  
• Attempts to decline the unauthorized 2FA removal failed with an error saying the requests were already processed.  
• I was able to change my password, but there is no login or activity history available to review.  

Also worth noting: When disabling 2FA from within the account, no 6-digit code is required. You just click “disable” and it’s gone—no confirmation at all. This completely undermines the point of 2FA and is not standard security practice.


Why I’m posting:

This situation suggests that Blockchain.com staff or their support system may have approved these removals without my knowledge or consent, exposing users to significant risk.

@Loyce, if you see this, I’d greatly appreciate any advice or assistance you could offer in getting Blockchain.com to address these issues properly.

If anyone else has encountered this or can shed light on how Blockchain.com handles 2FA removals, please share.

Thanks for reading, and stay safe out there.


P.S. Honestly, I hope Loyce feels some sympathy for me after all this. This whole ordeal has been incredibly traumatic and stressful—having my security stripped away without warning, not knowing if my funds are safe, and battling the frustrating system errors has been a nightmare I wouldn’t wish on anyone. After this experience, I will never trust Blockchain.com again.

[hosemary]

After this experience, I will never trust Blockchain.com again.

This is the best thing you can do.You should avoid any web wallet.
Blockchain.com is a close-source wallet and there is no way to know how the keys are generated and whether they are stored on blockchain.com's servers or not.


Go for a trustworthy open-source wallet like electrum or Sparrow.

[Quantum_Resolve7987V]

After this experience, I will never trust Blockchain.com again.

This is the best thing you can do.You should avoid any web wallet.
Blockchain.com is a close-source wallet and there is no way to know how the keys are generated and whether they are stored on blockchain.com's servers or not.


Go for a trustworthy open-source wallet like electrum or Sparrow.

You know, I found out Blockchain.com will let you open a support ticket 
to disable 2FA on someone *else’s* account.

Yeah, that’s right — someone broke into my account, opened a support ticket, 
and Blockchain was like: 
"Sounds legit!"

...They didn’t even ask for a second opinion. Just disabled it.

It's like breaking into someone’s house and the locksmith shows up and goes, 
"Hey, you sure you live here?" 
And the guy’s like, "Oh yeah, totally." 
And the locksmith goes, "Well okay then — lemme get this door right off the hinges for ya."

[justinlamode]

First mistake is to use Blockchain.com that is not open source which means your asset is not safe there. If you need reliable software wallets, Electrum is fine and should be considered. I had a Blockchain.com wallet but since I learnt that they are not open source, I have abandoned the wallet. Now they even require me to do KYC to be able to convert to fiat, I don't know what that is because I have moved on.

[Outhue]

Things never go the way you want with blockchain dot com, atleast for me, it has always been like blockchain is the one in control always, this is why I stopped using them, I also remember losing some fund on blockchain.com in the past, they claimed I must have exposed my seed phrase but there is nothing to use to clear this doubt.

I later find out that the wallet is even closed source, as a newbie at the time my blood is always boiling to try out new things in this crypto space, I ended up making a lot of mistakes, it's insane that people are still using this wallet in 2025 when there are better ones out there.

Stop using blockchain.com, they sucks in every way, they are like Coinbase wallet and anything can happen, I doubt they are non custodial, upon all the warnings about which crypto wallets to use on this forum I am shocked that this one is still coming up.

[Quantum_Resolve7987V]

First mistake is to use Blockchain.com that is not open source which means your asset is not safe there. If you need reliable software wallets, Electrum is fine and should be considered. I had a Blockchain.com wallet but since I learnt that they are not open source, I have abandoned the wallet. Now they even require me to do KYC to be able to convert to fiat, I don't know what that is because I have moved on.

      ____  _            _       _     _             
     | __ )| | ___   ___| | __ _| |_  (_) ___  _ __ 
     |  _ \| |/ _ \ / __| |/ _` | __| | |/ _ \| '_ \
     | |_) | | (_) | (__| | (_| | |_  | | (_) | | | |
     |____/|_|\___/ \___|_|\__,_|\__| |_|\___/|_| |_|
                                                   
 🚨 BLOCKCHAIN SECURITY SYSTEM 🚨
 ┌────────────────────────────────────────────┐
 │  We've received a 2FA removal request...   │
 │  From an IP in Cambodia... for your acct.  │
 │                                            │
 │    We’re gonna go ahead and approve it     │
 │  because we believe in the honor system.   │
 │                                            │
 │     🙃 No ID check. No email verify.       │
 │     🙃 Just vibes. Total trust, baby.      │
 └────────────────────────────────────────────┘

 If this wasn't you, our bad.
 Maybe open a support ticket...
 So someone else can remove YOUR 2FA too! 👍

 Love,
 The 0FA Team at Blockchain.com

[OcTradism]

I want to share a concerning experience I had with Blockchain.com regarding two-factor authentication (2FA) on my wallets, and I’d really appreciate input from anyone who understands these issues
• I have two Blockchain.com wallets linked to the same email address.  
• Without my consent, 2FA was disabled on both wallets.  
• The emails notifying me about the removals look different from the ones sent when I disable 2FA myself:

You can use wallet mnemnonic seed words and import them to non custodial wallets like Electrum wallet. Choose BIP39 and import your wallet, then a next step is so important. You must move your bitcoins out of that wallet immediately to your another non custodial wallet.

You don't need to spend time to figure out what happened with your Blockchain.com wallet, as if you are late and if someone plays behind the scene, you have high risk of losing your bitcoin.

After moving your bitcoin fund to a new wallet, you can return to figure out what happened with that 2FA wallet.
Restoring your standard wallet from seed.

[Quantum_Resolve7987V]

You can use wallet mnemnonic seed words and import them to non custodial wallets like Electrum wallet. Choose BIP39 and import your wallet, then a next step is so important. You must move your bitcoins out of that wallet immediately to your another non custodial wallet.

Yes, but this is exactly the problem — if someone *did* get into my Blockchain.com account, they wouldn’t even need to guess my password or bypass 2FA if they were already in. All they’d have to do is click a button to view my seed phrase right there in the dashboard! And the worst part is Blockchain.com gives me no login history or IP log, so I can’t even see if someone accessed my account.

You don't need to spend time to figure out what happened with your Blockchain.com wallet, as if you are late and if someone plays behind the scene, you have high risk of losing your bitcoin.

That’s the thing — without login records, I can’t even *know* whether “someone is playing behind the scenes.” It’s like driving a car without a speedometer and hoping you’re not speeding. If Blockchain.com actually cared about user security, they’d at least give basic audit logs.

After moving your bitcoin fund to a new wallet, you can return to figure out what happened with that 2FA wallet.

True, but by then it might be too late. If an attacker had my seed phrase, 2FA would mean nothing — they could sweep the wallet at any moment without ever touching my Blockchain.com account again. That’s why the lack of visibility into account activity is such a huge security flaw.

Restoring your standard wallet from seed.

Right, and that’s also the exact function that makes this so dangerous — it’s just sitting there behind one click in the UI with no extra verification step beyond already being logged in. If Blockchain.com added even *one* more layer (like re-entering the password or 2FA) before showing the seed, this risk would be much smaller.

[Quantum_Resolve7987V]

Timeline of Suspicious 2FA Removal Emails from Blockchain.com

I’ve compiled the email events I received related to two wallets linked to my Blockchain.com account. Below are the timelines sorted by wallet, with timestamps aligned.

---

Wallet B (WALLET-B)

Date & Time (Local)	Date & Time (GMT)	Event
Wed, Aug 6, 2025, 1:50 PM	Wed, Aug 6, 2025, 17:50 GMT	Verify Your Device email notifying multiple wallets linked to email
Wed, Aug 6, 2025, 1:52 PM	Wed, Aug 6, 2025, 17:52:13 GMT	Authorize Login Attempt from IP 103.9.188.71 (Cambodia)
Wed, Aug 6, 2025, 1:52 PM	Wed, Aug 6, 2025, 17:52:51 GMT	2FA Removal Request email sent (Approve / Decline options)
Wed, Aug 6, 2025, 1:53 PM	Wed, Aug 6, 2025, 17:53:23 GMT	2FA Disabled Confirmation email sent

Time window to respond to 2FA removal request on Wallet B: Approximately 1 minute

---

Wallet A (WALLET-A)

Date & Time (Local)	Date & Time (GMT)	Event
Wed, Aug 6, 2025, 7:42 PM	Wed, Aug 6, 2025, 23:42:53 GMT	Authorize Login Attempt from IP 103.9.188.71 (Cambodia)
Wed, Aug 6, 2025, 7:43 PM	Wed, Aug 6, 2025, 23:43:20 GMT	2FA Removal Request email sent (Approve / Decline options)
Wed, Aug 6, 2025, 7:44 PM	Wed, Aug 6, 2025, 23:44:03 GMT	2FA Disabled Confirmation email sent

Time window to respond to 2FA removal request on Wallet A: Less than 1 minute

---

Summary: 
Both wallets received login attempts and 2FA removal requests from the same IP address in Cambodia within hours of each other. The time window to approve or decline the 2FA removal was extremely short (about one minute or less), making it practically impossible to respond.

If you receive similar emails, be very cautious and consider moving your funds immediately.

---

Has anyone else seen login attempts or 2FA removal requests from IP 103.9.188.71?

[nakamura12]

You should hurry to transfer all your funds from that wallet before it's too late. The thing about using the mnemonic phrase from your blockchain wallet is to import the wallet using electrum for transferring funds from that wallet before someone can transfer your funds to a new wallet that isn't blockchain.com wallet since as you have explained that someone tried disabling the 2FA to both of your wallet. I have wallet on blockchain.com but I never used it due to some reason like being close source wallet.

[Quantum_Resolve7987V]

You should hurry to transfer all your funds from that wallet before it's too late. The thing about using the mnemonic phrase from your blockchain wallet is to import the wallet using electrum for transferring funds from that wallet before someone can transfer your funds to a new wallet that isn't blockchain.com wallet since as you have explained that someone tried disabling the 2FA to both of your wallet. I have wallet on blockchain.com but I never used it due to some reason like being close source wallet.

I feel like LoyceV would probably give the same advice so you saved him having to come here. They didn't just TRY to disable 2FA. They actually did do it   plus i think they logged into my accounts too! both of them.

[joniboini]

I don't have a Blockchain.com account, but some of scammers do try to bruteforce their way into my accounts. I think I've seen at least two emails saying a new IP address is trying to log in, or that someone changed my password or something similar. Trying to figure out who owns the IP is probably a waste of time since they can simply use a VPN or something else to do the attack. The latter is usually phishing emails, though. So yeah, the best thing to do is move to a self-custodial wallet asap and never reuse username/password details. CMIIW.

[armanda90]

Based on my experienced when using Blockchain account, every new IP access always needed email confirmation and allow for new IP access to our Blockchain account. Did you received an email notification for allowing your Blockchain account access by difference IP address before receiving email about 2FA removing? Regarding many kinds of CEX exchange account I used, so far only Blockchain have more secure protection about account access and always needed email confirmation link indeed access with usual IP address.
So your account have added another 2FA by hacker or still can access? indeed success removing 2FA I think need 24 hours later for withdrawing assets and get luckiness if you can securing back your account. Usually all CEX exchange will freeze withdrawal around 34 hours later after changes password or removing 2FA feature.

[Quantum_Resolve7987V]

Based on my experienced when using Blockchain account, every new IP access always needed email confirmation and allow for new IP access to our Blockchain account. Did you received an email notification for allowing your Blockchain account access by difference IP address before receiving email about 2FA removing? Regarding many kinds of CEX exchange account I used, so far only Blockchain have more secure protection about account access and always needed email confirmation link indeed access with usual IP address.
So your account have added another 2FA by hacker or still can access? indeed success removing 2FA I think need 24 hours later for withdrawing assets and get luckiness if you can securing back your account. Usually all CEX exchange will freeze withdrawal around 34 hours later after changes password or removing 2FA feature.

Yes, I did receive the “new IP” login attempt emails before the 2FA removal emails — but here’s the critical point: 
The 2FA removal request came less than a minute after the “new IP” login attempt notification, and the 2FA removal was approved almost instantly. 
That left me with essentially no time to click decline, even if I was sitting right there staring at my inbox.

In my case, it doesn’t matter that Blockchain.com “always” requires email confirmation for new IPs — because whatever process happened here bypassed any meaningful delay or verification. 

Also, I still had account access afterward, but with 2FA gone, the attacker (or whoever approved it) could have easily retrieved my seed phrase from the account dashboard with a single click. Since Blockchain.com stores your seed server-side and shows it to you after login, that’s the real danger — once someone is in, they can grab your seed and move funds anytime in the future.

As for the withdrawal freeze, if such a delay exists, it didn’t protect me here because the irreversible damage was done the second the seed was exposed.

[nc50lc]

Since Blockchain.com stores your seed server-side and shows it to you after login, that’s the real danger — once someone is in, they can grab your seed and move funds anytime in the future.

If they're following what they claim: only your encrypted "wallet.aes.json" file is saved in their server.
Decryption is done client-side in your browser so as the seed contained in the wallet once decrypted.
Here's the reference to it: https://bitcointalk.org/index.php?topic=40264.0 [official Blockchain(dot)info topic, unknown to some]

With that, the attacker still needs your password to decrypt the wallet.

As for the source code, only the front-end of the wallet is available: github.com/blockchain/blockchain-wallet-v4-frontend/tree/development/packages
So verifying it may not be possible.

If this wasn't you, our bad.
 Maybe open a support ticket...
 So someone else can remove YOUR 2FA too! 👍

I've seen a couple of topics OP posting their conversation with their support and most are either copy-pasted standard replies or the support offering/suggesting something that isn't related to the issue.
Check out the "Web Wallet" sub-board in "Service Discussion" board.

With that incompetence, there is a high chance that the one who requested the 2FA removal was using a similar Email address that the customer support mistakenly thought it's yours.
Because if you used the linked email address to contact their customer support, they'll lower their verification requirements for such requests.
Or if he knows something about your wallet like its first created date (based from your first transaction) and some IP address that you've used, he might be able to use that to bypass the linked-email address requirement.

[Quantum_Resolve7987V]

If they're following what they claim: only your encrypted "wallet.aes.json" file is saved in their server.
Decryption is done client-side in your browser so as the seed contained in the wallet once decrypted.
Here's the reference to it: https://bitcointalk.org/index.php?topic=40264.0 [official Blockchain(dot)info topic, unknown to some]

With that, the attacker still needs your password to decrypt the wallet.

As for the source code, only the front-end of the wallet is available: github.com/blockchain/blockchain-wallet-v4-frontend/tree/development/packages
So verifying it may not be possible.

That might be what they claim in theory — but my personal experience with the UI says otherwise. 
Once you’re logged in (with the password already entered), there’s literally a “click to reveal” button for the seed phrase. No additional password prompt, no 2FA challenge — nothing. 
So if someone gains access to the account at any point (either through direct compromise or a support blunder), they can grab the seed immediately without knowing or guessing the password again. 

That’s the real issue — even if the underlying storage is encrypted on their servers, the way it’s implemented effectively means your seed is “hot” and ready to hand over to anyone in your session. It defeats the purpose of client-side encryption if the server happily feeds the encrypted blob to anyone logged in and the client auto-decrypts it on demand.

With that incompetence, there is a high chance that the one who requested the 2FA removal was using a similar Email address that the customer support mistakenly thought it's yours.
Because if you used the linked email address to contact their customer support, they'll lower their verification requirements for such requests.
Or if he knows something about your wallet like its first created date (based from your first transaction) and some IP address that you've used, he might be able to use that to bypass the linked-email address requirement.

That theory is disturbingly plausible. 
Given the near-zero response window between the “new IP” email and the “2FA removal approved” email, it feels less like a brute-force hack and more like a support-side action (whether mistaken identity or deliberately lax verification). 
If their process allowed someone to remove 2FA without my approval and without any proper waiting period, then the entire “security” model falls apart.

My opinion: Blockchain.com’s support processes are the biggest vulnerability here — not my password strength, not phishing, not some exotic exploit. Once you can social-engineer their support, the rest of their “layers of security” are just decoration.

[coupable]

Bro you are wasting your time discussing blockchain dot com vulnerabilities because you already know the inconvenient if using custudial wallets even those with great features like offering access to privates key sor being able to encypt it in a seed phrase. If you already have funds, hurry up open your wallet using the private keys you possess and move the funds to a safer destination (non custudail wallet), and if you haven't funds there, just desactivate your account and never use those addresses you have their private keys forever. You will benefit nothing chasing system flaws.

[Quantum_Resolve7987V]

Bro you are wasting your time discussing blockchain dot com vulnerabilities because you already know the inconvenient if using custudial wallets even those with great features like offering access to privates key sor being able to encypt it in a seed phrase. If you already have funds, hurry up open your wallet using the private keys you possess and move the funds to a safer destination (non custudail wallet), and if you haven't funds there, just desactivate your account and never use those addresses you have their private keys forever. You will benefit nothing chasing system flaws.

I actually agree with most of what you said — custodial wallets always carry risks, and the best step is indeed to move funds into a wallet where you hold the keys.  

My opinion: I still think it is important to point out flaws in their system, because those flaws can impact other users who might not realize the risks. For example, they don’t even offer backup codes if someone loses their 2FA. The only fallback is going through “customer service,” which in theory could disable 2FA without much friction, even if the person isn’t the real account owner. That’s a potential weakness worth discussing.  

So yes, moving funds is priority number one — but in my view, identifying and documenting vulnerabilities helps the community as a whole.

[coupable]

Bro you are wasting your time discussing blockchain dot com vulnerabilities because you already know the inconvenient if using custudial wallets even those with great features like offering access to privates key sor being able to encypt it in a seed phrase. If you already have funds, hurry up open your wallet using the private keys you possess and move the funds to a safer destination (non custudail wallet), and if you haven't funds there, just desactivate your account and never use those addresses you have their private keys forever. You will benefit nothing chasing system flaws.

I actually agree with most of what you said — custodial wallets always carry risks, and the best step is indeed to move funds into a wallet where you hold the keys.  

My opinion: I still think it is important to point out flaws in their system, because those flaws can impact other users who might not realize the risks. For example, they don’t even offer backup codes if someone loses their 2FA. The only fallback is going through “customer service,” which in theory could disable 2FA without much friction, even if the person isn’t the real account owner. That’s a potential weakness worth discussing.  

So yes, moving funds is priority number one — but in my view, identifying and documenting vulnerabilities helps the community as a whole.

No argue about discussing the quality of any service. For your knowledge, there is already a full child board dedicated for web-wallets service discussion, where you can share your experience based opinions. My reply was because you posted here in this board with a hard work full analysis that fit to that board. Otherwise, i would like to thank dedicating time to warn community and want to help.
You can move this topic to service discussion sub-board: Web Wallets

[NotATether]

Honestly it looks like your account was hacked. Change your passwords now. Also you might want to consider removing all your funds from Blockchain.com and into a more reputable wallet that doesn't get targeted by hackers frequently.

The 2FA secret is never reset automatically by Blockchain.com.