Based on my experienced when using Blockchain account, every new IP access always needed email confirmation and allow for new IP access to our Blockchain account. Did you received an email notification for allowing your Blockchain account access by difference IP address before receiving email about 2FA removing? Regarding many kinds of CEX exchange account I used, so far only Blockchain have more secure protection about account access and always needed email confirmation link indeed access with usual IP address.
So your account have added another 2FA by hacker or still can access? indeed success removing 2FA I think need 24 hours later for withdrawing assets and get luckiness if you can securing back your account. Usually all CEX exchange will freeze withdrawal around 34 hours later after changes password or removing 2FA feature.
Yes, I did receive the “new IP” login attempt emails before the 2FA removal emails —
but here’s the critical point: The 2FA removal request came
less than a minute after the “new IP” login attempt notification, and the 2FA removal was approved almost instantly.
That left me with essentially
no time to click decline, even if I was sitting right there staring at my inbox.
In my case, it doesn’t matter that Blockchain.com “always” requires email confirmation for new IPs — because whatever process happened here bypassed any meaningful delay or verification.
Also, I still had account access afterward, but with 2FA gone, the attacker (or whoever approved it) could have easily retrieved my seed phrase from the account dashboard with a single click. Since Blockchain.com stores your seed server-side and shows it to you after login, that’s the
real danger — once someone is in, they can grab your seed and move funds anytime in the future.
As for the withdrawal freeze, if such a delay exists, it didn’t protect me here because the irreversible damage was done the second the seed was exposed.