.svg)
Is Coinbase Safe?
Yes, Coinbase is one of the safest cryptocurrency exchanges available today, but it's important to understand where that safety comes from.
Coinbase is based in the United States, is publicly traded on the NASDAQ, and is registered with FinCEN as a Money Services Business. It complies with U.S. regulations for anti-money laundering (AML) and Know Your Customer (KYC) policies.
On the technical side, Coinbase uses AES-256 encryption, two-factor authentication (2FA), and biometrics for customer login. About 98% of customer cryptocurrency funds are stored in cold wallets; 2% of assets are stored in hot wallets.
Coinbase also holds a crime insurance policy that protects a portion of custodial crypto assets from losses due to data breaches or theft. This policy, however:
- Does not cover losses from unauthorized access to your Coinbase account (through phishing, stolen credentials, SIM swapping, etc.).
- Does not cover NFTs.
- May not fully reimburse all users if total losses exceed insurance recoveries.
For U.S. dollar balances, Coinbase pools customer funds in custodial accounts at U.S. banks and credit unions, some of which are FDIC- or NCUSIF-insured. If your cash is held at one of these institutions, you may be eligible for pass-through insurance for up to $250,000 per individual.
Coinbase is not an FDIC-insured bank, and crypto assets are not protected under traditional deposit insurance. The platform itself is safe, but staying safe also depends on you.
{{show-cta}}
Has Coinbase Been Hacked?
Over the last five years, there have been four notable hacks or breaches at Coinbase. With daily trading volumes ranging from $2.5 billion to $15 billion between January and March of 2025, it’s little surprise that Coinbase is a target for hackers.
1. March 2021: SMS 2FA flaw affects over 6,000 Coinbase users
Attackers exploited a vulnerability in Coinbase’s SMS-based 2FA recovery process to access user accounts. Based on their 10-K filing in February this year, Coinbase reimbursed affected users $25.1 million.
2. February 2023: Phishing attempt by '0ktapus' group
A sophisticated phishing campaign targeted Coinbase employees with SMS messages in an attempt to steal login credentials. While no customer information or funds were taken, some employee information was. Coinbase’s security team linked the attack to the “0ktapus” hacking group.
3. July 2024: Third-party bank breach affects 154 clients
In July 2024, a third-party bank used by Coinbase accidentally exposed a file with some customer names, account numbers, and routing details. Coinbase’s systems weren’t breached, and there’s no evidence that the data was misused. The company notified all 154 affected users and offered support out of caution.
4. March 2025: Attempted supply chain attack via GitHub Actions
Attackers tried to compromise Coinbase by targeting its open-source project agentkit on GitHub. They used a token with permission to make changes and attempted to inject malicious code. Coinbase caught the attack early, and removed the affected workflow before any sensitive data was accessed.
📚 Related: How To Protect Yourself From Account Takeover Fraud (ATO) →
How Coinbase Protects You
1. Platform-related security features:
AES-256 encryption for sensitive data
Coinbase uses AES-256, the same encryption standard used by banks, to secure sensitive information like your bank account number and routing details. This data is encrypted at rest on Coinbase servers so it can’t be read without proper authorization.
Restricted employee access and background checks
Only authorized employees can access customer data; and even then, access is limited based on job function. Coinbase performs background checks on all employees and uses role-based permissions to keep customer information secure.
Secure bank account linking with Plaid
When you connect your bank account to Coinbase, your username and password are never shared with or seen by Coinbase; Plaid handles the login securely. Coinbase receives only account details necessary for verification and fraud prevention, like your account number and balance — not your password.
📚 Related: What Can Scammers Do With Your Bank Account Number? →
2. User-facing controls:
2FA Required on all accounts
Without 2FA, you can’t log in or make account changes. Supported methods include hardware security keys (like YubiKey), passkeys stored on your device or in the cloud, authenticator apps like Google Authenticator, and Coinbase Security Prompt via the mobile app.
SMS is available but is the least secure option and should only be used as a backup. Coinbase recommends enabling at least two 2FA methods to avoid being locked out if one becomes unavailable.
Trusted contacts for account recovery
You can add trusted contacts — people you know personally — who must approve any account recovery requests. All contacts must approve a request before recovery proceeds. Coinbase also assigns code names to each contact, so only you can identify them.
Address allowlisting
With allowlisting, transactions can only be made to wallet addresses that you've pre-approved and added to your address book. Any changes to the allowlist, such as adding or removing addresses, are subject to a 48-hour hold period.
Coinbase Vault for long-term storage
Vaults require multiple approvals (two, three, or five approvers) to initiate a withdrawal, and there's a mandatory 48-hour delay before the withdrawal is processed. This setup gives you time to cancel any unauthorized withdrawal requests.
Session monitoring
You can monitor all active sessions linked to your account, including web sessions, confirmed devices, and mobile apps. If you notice any unfamiliar activity, you can immediately revoke access to those sessions.
App Lock for Coinbase Wallet
App Lock adds a passcode or biometric requirement to open your Coinbase Wallet app and/or approve transactions. It protects access to the app on your device but does not secure your recovery phrase or block transfers if someone has it. This is different from Coinbase’s account lock, which temporarily freezes activity on your account.
Official communication channels
If you receive an email that appears suspicious or claims to be from Coinbase, you can forward it to [email protected] for verification.
Coinbase customer support will never call you or ask for your password, 2FA code, or access to your device. Legitimate emails always come from a verified Coinbase domain, such as “@coinbase.com” or subdomains like “@mail.coinbase.com” or “@info.coinbase.com.”
What You Can Do To Keep Your Coinbase Account Safe
Coinbase provides strong built-in protections, but locking down your account also depends on the steps you take. Here’s what we recommend:
Keep an eye on your email and cloud storage: Use a strong password that you don’t reuse anywhere else.
Set up 2FA, as well. Regularly check your email settings for unfamiliar forwarding addresses, filters, or recovery contacts that could indicate someone has tampered with your account. Keeping a dedicated email for your Coinbase account makes it less likely to be hacked.
Lock down your phone number: Call your mobile carrier and ask to add a SIM lock, port freeze, and a PIN for any account changes. Also request that they require in-store ID verification before transferring your number to another device.
Even if you don’t use SMS for 2FA, these steps can help prevent SIM-swapping that can give attackers access to your Coinbase account.
Clean up your devices: Uninstall any software you don’t use — especially tools that allow remote access. Avoid browser extensions from unknown sources, and install an ad blocker to help block malicious scripts. Keep your operating system and antivirus up to date.
Keep your recovery phrase offline: Your recovery phrase is a human-readable form of your crypto wallet’s private keys. If someone gets it, they can sign transactions and transfer your crypto. Store it offline, and don’t share it with anyone.
If Your Coinbase Account Was Hacked:
1. Lock your account through Coinbase.com
If someone accessed your account, log in, reset your password, and upgrade your 2FA (preferably to a hardware key).
Then go to Profile → Security → Lock account. This locks access across all devices. If you can't log in, contact Coinbase Support by phone with your last sign-in information. Unlocking later requires email, 2FA access, and identity verification; this can take up to 48 hours.
2. Report unauthorized transactions
Double-check that the transaction isn’t a recurring buy or reversal. After this, collect timestamps and transaction IDs from your Coinbase statement, and file a report with Coinbase Support. If a third party accessed your funds, report the theft to local law enforcement.
3. Troubleshoot your two-step verification
If you’ve lost access to your 2FA method, go to login.coinbase.com/recovery while using the device throughout the process. You’ll need your password and may be asked to verify your identity.
If you're still signed in, go to 2FA Settings, select Lost access to your 2FA?, enter your password, and choose a recovery option. Withdrawals may be paused for 24 hours after this.
4. Get alerts if your Coinbase-linked information leaks online
Aura monitors the Dark Web for personal details tied to your identity — including up to five phone numbers, one email address, your Social Security number (SSN), address, and government ID numbers like your passport or driver’s license.
If anything tied to your Coinbase account shows up in a breach, you’ll get real-time alerts so that you can act before criminals do.
5. Add protection beyond the crypto exchange
Coinbase protects its platform, but not your broader digital footprint. Aura adds another layer by locking your credit file, scanning for financial fraud, and helping you recover faster if your identity is stolen. Aura also extends up to $1 million in identity theft insurance and 24/7 U.S.-based support.
