If they're following what they claim: only your encrypted "wallet.aes.json" file is saved in their server.
Decryption is done client-side in your browser so as the seed contained in the wallet once decrypted.
That’s the real issue — even if the underlying storage is encrypted on their servers, the way it’s implemented effectively means your seed is “hot” and ready to hand over to anyone in your session. It defeats the purpose of client-side encryption if the server happily feeds the encrypted blob to anyone logged in and the client auto-decrypts it on demand.
You get it.
It seems like the main purpose of it is to set a convincing "
non-custodial" claim (
better term: "self-custodial") rather than security purposes.
This is why most people do not recommend their web wallet aside from their historical mess-up in the past few years.
-snip-
That theory is disturbingly plausible.
-snip-My opinion: Blockchain.com’s support processes are the biggest vulnerability here — not my password strength, not phishing, not some exotic exploit. Once you can social-engineer their support, the rest of their “layers of security” are just decoration.
It still needs some investigation though.
But it's definitely NOT your password or anything that can't get into the wallet's setting page.