Since Blockchain.com stores your seed server-side and shows it to you after login, that’s the real danger — once someone is in, they can grab your seed and move funds anytime in the future.
If they're following what they claim: only your encrypted "
wallet.aes.json" file is saved in their server.
Decryption is done client-side in your browser so as the seed contained in the wallet once decrypted.
Here's the reference to it:
https://bitcointalk.org/index.php?topic=40264.0 [
official Blockchain(dot)info topic, unknown to some]
With that, the attacker still needs your password to decrypt the wallet.
As for the source code, only the front-end of the wallet is available:
github.com/blockchain/blockchain-wallet-v4-frontend/tree/development/packagesSo verifying it may not be possible.
If this wasn't you, our bad.
Maybe open a support ticket...
So someone else can remove YOUR 2FA too! 👍
I've seen a couple of topics OP posting their conversation with their support and most are either copy-pasted standard replies or the support offering/suggesting something that isn't related to the issue.
Check out the "
Web Wallet" sub-board in
"Service Discussion
" board.
With that incompetence, there is a high chance that the one who requested the 2FA removal was using a similar Email address that the customer support mistakenly thought it's yours.
Because if you used the linked email address to contact
thetheir customer support, they'll lower their verification requirements for such requests.
Or if he knows something about your wallet like its first created date (
based from your first transaction) and some IP address that you've used, he
canmight be able to use that to bypass the
relatedlinked-email address requirement.