What to Do If There Are Unfamiliar Logins in Binance Device Management? How to Run the Emergency Checklist

Device management is a page many users never open again after setting up 2FA, but it is precisely the primary scene for discovering a compromised account. This article outlines a 10-minute monthly audit method, along with a 5-minute emergency workflow if you spot an unfamiliar session. First, log into the Binance Official Website and open the device management page. For mobile users, you can also view it in the Security Center of the Binance Official App; if you don't have the official App installed, check the iOS Installation Guide.

1. What Does the Binance Device Management Page Tell You?

After logging in, go to Account → Security → Device Management. You will see a table listing all devices currently in an active login state. Every row includes:

• Device Type: iPhone 15 Pro / MacBook Air M3 / Chrome browser, etc.
• Login IP: The IP address of the last activity.
• IP Location: Country/Region + City.
• Login Time: The time of the last activity.
• Device Fingerprint: Browser UserAgent + fingerprint hash.

This table only displays logged-in sessions; devices that have already been logged out will not appear here.

2. The 10-Minute Monthly Audit Checklist

Pick a fixed time each month (e.g., the evening of the 1st) to do a comprehensive check. The checklist is as follows:

1. Verify Every Device

Check row by row:

• Do I recognize this device name?
• Have I ever been to this IP location?
• Does the last active time match my usage habits?

If the answer to any of these is "No," you must be on alert.

2. Remove Unused Devices

Find sessions for:

• Old phones you have already sold or given away.
• Old computers where you have reinstalled the OS.
• A temporary session you forgot to log out of after using someone else's computer.
• Sessions that shouldn't be kept, like company computers or internet cafe PCs.

Click "Remove" for each one. In this step, almost 50% of users can clean out a pile of leftovers.

3. Check for Abnormal IP Locations

Typical anomalies:

• You've always been in Shanghai, but logins from unfamiliar regions like Nigeria, Russia, or Vietnam appear on the list.
• You use a fixed home broadband, but AWS / DigitalOcean or other cloud provider IPs appear.
• Active in two different countries at the exact same time.

If any of these occur, it should be treated as an "emergency situation" (see the next section).

4. Review the API Key List

Go to Account → Security → API Management, and verify row by row:

• Did I create this key?
• Are the permissions strictly limited to what I actually need (Reading/Spot Trading/No withdrawal permission)?
• Has it been accessed in the last 30 days? If not, consider deleting it.

5. Update Password and 2FA Once

You don't absolutely have to change your password, but you must confirm that the 2FA entry is still on your phone and the backup key is still there. Many users open it a year later only to find the Binance entry in their Authenticator has mysteriously vanished — this is the start of major trouble.

6. Confirm the Anti-Phishing Code is Still Active

Send yourself a system email (for example, trigger a login alert) and see if the email subject includes the anti-phishing code you set.

3. The 5-Minute Emergency Workflow When Spotting an Unfamiliar Session

Core Principle: Speed > Perfection. Every extra minute you delay adds to the risk of funds being transferred out.

Minute 1: Disconnect All Sessions

Go to Account → Security → Device Management → "Log Out of All Devices" button. This step forces all active sessions to immediately expire — including the one you are currently using. You will be kicked out immediately and must log back in.

Minutes 2-3: Change Password + Change 2FA

After logging back in:

1. Immediately change the login password (use a brand new, 20-character password that hasn't been used anywhere else).
2. Consider disabling the old Google Authenticator entry and binding a new one (if you suspect the 16-character backup key was leaked).

Minute 4: Delete All API Keys

Regardless of whether the attacker operated via an API, delete all of them and recreate them. Deleting does not affect orders already in progress, but future programmatic trading will require re-authorization.

Minute 5: Check Assets and Withdrawals

• Go to Account → Wallet → Overview, and check if your total assets match what you remember.
• Go to Account → Orders → Recent Withdrawal History, and see if there are any abnormal withdrawals in the past 24 hours.
• Go to Account → Recent Login History, and check for any logins you don't recognize.

If you find funds have been transferred out: Immediately contact Binance Support to submit a stolen account appeal (Account top right → Help → Online Support). Provide:

• The abnormal login IP and time.
• The TxHash (on-chain hash) of the abnormal transaction.
• A screenshot of the last login you personally made.
• Your anti-phishing code (to prove you are the genuine account holder).

The sooner you appeal, the higher the recovery rate — Binance risk control can sometimes freeze withdrawals within 30 minutes of a risky transaction occurring.

4. How to Turn On Abnormal Location Login Alerts

The device management page won't proactively remind you. To get real-time emails or App pushes for a "New Device Login," you must turn it on separately in your Notification Preferences:

1. Account → Security → Notification Preferences.
2. Find the "Login related notifications" group.
3. Check the Email and APP Push boxes for "New Device Login", "Abnormal Location Login", and "New IP Login".
4. Save.

Once enabled, any login from a new device or IP will notify you immediately. If you receive an alert for an action you didn't take, handle it instantly according to the emergency workflow above.

5. What Kind of Login IP is Considered "Abnormal"?

Normal login IPs generally match:

• The location is a city you have visited in the past 30 days.
• It is from the IP range of your home / company / commonly used network.
• The ISP is a consumer carrier (e.g., China Telecom, China Mobile, Comcast).

The following situations are considered abnormal:

• IPs belonging to cloud service providers (AWS, GCP, Azure, DigitalOcean, Linode) — normal users don't use cloud servers to log in.
• IPs from countries you have never visited.
• Switching IPs multiple times in a short period (jumping from Beijing to Singapore to Amsterdam within 10 minutes) — very likely a VPN anomaly or someone attacking using proxies.
• IPs belonging to public Tor exit nodes or known malicious IP pools.

6. Will Using a VPN "Flag" Me for an Abnormal Location Login?

Yes, but this isn't a problem. Binance's abnormal location login detection is based on IPs, so if you use a VPN to switch countries, Binance sees the IP from that new country and prompts a "Login from a new region" alert in the email.

The solution: Add your commonly used VPN exit to the whitelist in the "Trusted Devices" list. After that, logins from the same region won't trigger an alert. However, it is not recommended to trust all VPN IPs, otherwise, the alerts lose their purpose.

7. Advanced Device Management: Session Timeout Limits

Users with high security awareness can change the default 24-hour session duration to 2-4 hours under Account → Security → Session Timeout Settings. A shorter timeout means you need to log in more frequently, but it also means that even if a session is hijacked, the time window the attacker can exploit becomes shorter.

Recommendations for large accounts:

• Web session timeout: 2 hours
• APP session timeout: 24 hours (The APP has device-level identification, so it is relatively safe)
• Require 2FA for every login (this is on by default)

FAQ

Q: If I log out of all devices, will it affect my ongoing orders? A: No. Orders are tied to the account, not the session. Limit orders, stop losses, and grid strategies will continue to run. You just need to log back in to view and adjust them.

Q: Can the IP displayed in the device management list pinpoint a residential community? A: No, at best it pinpoints the city and ISP. Binance's IP geolocation is based on public GeoIP databases, so the margin of error could be within 100 kilometers.

Q: Why are there multiple entries for the same computer in the list? A: Different browser sessions are treated as different devices (Chrome, Firefox, Edge each count as one), and clearing cookies and logging in again also counts as a new session. Just clean them out periodically.

Q: Is the device management the same on the APP and Web platforms? A: Yes, the backend uses the same data; only the display interface is different. You can see all devices in the "Security Center" on the APP, and the operations are the same.

Q: My phone was lost and I didn't have time to log out myself, what should I do? A: Immediately use any other device to log into binance.com, go to the device management page, and click "Log Out of All Devices." The session on the old phone will expire within 30 seconds. If your 2FA was also on that phone, you will need to use your 16-character backup key to restore 2FA on a new phone before you can log in.