This mislabeling gave the false impression that an attacker had entered the correct password but was blocked at the 2FA stage, which naturally raised alarm among Coinbase users.
Several customers reached out to BleepingComputer, expressing concern that their accounts might have been breached. Many reported using unique passwords exclusively for Coinbase, found no signs of malware on their devices, and noticed no other suspicious account activity—adding to their confusion.
Coinbase later confirmed the issue, clarifying that attackers had never made it past the password stage.
The system had mistakenly classified these failed attempts as 2FA errors, even though the second authentication factor was never triggered.
To correct the confusion, Coinbase issued an update that now properly logs such attempts as “Password attempt failed” in the account activity logs, removing any misleading implication of a 2FA failure.
Such inaccuracies, while seemingly minor, can trigger unnecessary panic. Some affected users reset all their passwords and spent hours scanning their systems for threats—precautions prompted solely by the misleading logs.
Security experts also warn that errors like this can become tools for social engineering. Misleading logs could be exploited by attackers to trick users into thinking their credentials had been stolen, potentially coercing them into revealing more information or clicking malicious links.
Coinbase customers are frequently targeted in phishing and social engineering campaigns. These attacks often involve SMS messages or spoofed phone calls designed to trick victims into giving up 2FA tokens or login details.
While there is no confirmed case of the mislabeled logs being used in such scams, BleepingComputer noted that some users had reported it. Regardless, Coinbase reiterated that it never contacts customers via phone or text to request password changes or 2FA resets. Any such communication should be treated as a scam attempt.
