Checking Binance login records takes only two steps: Open the Binance Official APP, click "Account" in the bottom right, enter "Security Center - Account Activity," and you can see all login records for the past 30 days. Each record includes time, IP, region, device, and result (Success/Failed/Blocked by risk control). Logging into the Binance Official Website and entering "Account Security - Account Activity" provides the same functionality. Binance retains login logs for 30 days, including all successful logins, password errors, 2FA errors, and blocked abnormal IP events, serving as your important window to discover anomalies. It is recommended to develop a habit of checking login records once a week, which, combined with enabling login alert emails, can shorten the time to discover account theft from "days" to "minutes." According to Binance's 2024 security statistics, users who proactively check login records have average asset losses 83% lower than those who don't, due to early discovery and rapid response. First-time APP users should refer to the iOS Installation Tutorial to ensure they download the official original. This article details the full process of viewing, analyzing, configuring alerts, and handling abnormal login records.
What You Can See on the Login Records Page
The Binance login records page displays the following 10 fields.
1. Timestamp: Precise to the second, displayed according to your time zone (default UTC+8). Hovering the mouse also shows UTC time.
2. Login Method: Password login, QR code login, APP push confirmation, API Key call.
3. IP Address: Full display of IPv4 or IPv6 address, e.g., "223.104.123.45".
4. Geographic Location: Positioning based on IP database, accurate to country/province/city. E.g., "USA New York New York".
5. Device Type: OS + browser/APP, such as "Windows 10 Chrome 120", "iOS 17 Binance App 2.85.1", "Android 14 Pixel 8 Pro".
6. User-Agent Fingerprint: Unique identification of the device (partially masked).
7. Login Result: Success (green check), Failed - Password wrong (yellow), Failed - 2FA wrong (orange), Blocked - IP abnormal (red).
8. Risk Score: Green (0-30), Yellow (31-70), Red (71-100). The score is based on IP reputation, device age, time reasonableness, historical association, etc.
9. Follow-up Operations: Summary of account activity after login, such as "No operation", "Withdrawal application 1 time", "Create API Key", "Modify password", etc.
10. Action Button: For suspicious records, you can click "Not Me" to trigger the emergency process.
How to Identify Abnormal Logins (5 Signals)
Not all "unknown IPs" mean account theft, and not all "local IPs" are safe. Comprehensive judgment requires looking at 5 signals.
Signal 1: Completely unknown device + unknown IP + successful login. This is the strongest danger signal. If the device has never been used by you, the IP is in a region you've never visited, and login was successful, the account is almost certainly compromised. Act immediately according to the "account stolen" plan.
Signal 2: Common device but distant IP + asset operation after login. Your iPhone suddenly logs in from a Malaysia IP instead of your usual location, and within 5 minutes, a withdrawal is requested. This might mean your iCloud password was stolen, allowing the attacker to restore your phone backup and obtain session cookies.
Signal 3: High-frequency failure followed by one success. For example, 50 failed password attempts at 3 AM, followed by a 51st successful login. This is a classic characteristic of a successful brute-force attack; you must immediately change the password and reset 2FA.
Signal 4: Logins from two different cities at the same moment. You just logged in from London, and 30 seconds later another IP logs in from Tokyo. Physically impossible; one of them must be a thief. Compare devices and IPs to judge which one is you.
Signal 5: API Key call source IP doesn't match the whitelist. Normally, API Keys can only be called from whitelisted IPs. If login records show "API call from non-whitelisted IP," it indicates the attacker might have obtained your API Key and found a way to bypass the whitelist (rare but possible via IP spoofing).
Standard Viewing Process
View via APP: Open Binance APP → "Account" icon bottom right → "Security Center" → "Account Activity." By default, it shows the last 7 days; swipe to the top and click "Filter" to extend to 30 days, or filter by types like "Login," "Withdraw," "API," or "Modify."
View via Web: Log in to Binance official site → Top right avatar → "Account Security" → "Account Activity" section at the bottom. The advantage of the web version is the export function, allowing you to download a CSV file for offline analysis (commonly used for corporate compliance).
Sort by Time: Default is newest to oldest. You can switch to oldest to newest to observe the "attack starting point."
Filter by Result: It's recommended to look at all "Failed" records first, then all "High Risk" records, and finally check "Successful but distant" records.
Weekly Check Suggestion: Spend 3 minutes every Saturday or Sunday night scanning the records for the past 7 days. This frequency is manageable and timely. Perform an extra check during important nodes (before/after large transactions, traveling abroad, after changing devices).
Emergency Process for Abnormal Logins
Once an anomaly is identified, act immediately in this order; time is money.
Minutes 0-1: Click "Not Me." Click the "Not Me" button next to the suspicious record. The system will immediately force all devices to log out, lock the account, and require re-verification via Email + SMS + 2FA + Face Recognition. All withdrawals will be suspended.
Minutes 1-3: Change Password. After passing re-verification, change your password immediately. Use at least 12 characters, including upper/lowercase letters, numbers, and special symbols, completely different from your old password and passwords on other sites.
Minutes 3-5: Reset 2FA. Even if you think 2FA wasn't leaked, reset it. Invalidate the old 16-digit key and bind a new one to Google Authenticator.
Minutes 5-7: Check and Delete All API Keys. Enter the API management page and delete all Keys (regardless of whether you created them). API Keys are a favorite "persistent backdoor" for thieves.
Minutes 7-10: Check Withdrawal Whitelist and Address Book. Delete any addresses you don't recognize. Attackers often add a whitelist first and wait for the cooling-off period before withdrawing.
Minutes 10-15: Check Recent Fund Flows. Review trade history, withdrawal history, deposit history, fiat orders, and C2C orders. If funds have already left, take screenshots of all evidence.
Minutes 15-20: Submit Support Ticket. In the APP, click Support → "Account Stolen," upload all evidence (login records, abnormal operations, fund flow screenshots), and request an account freeze for investigation.
Minutes 20-30: Troubleshoot Your End. Recall if you've recently clicked suspicious email links, used public WiFi, downloaded suspicious programs, or if your phone was lost or repaired. Find the root cause to prevent a repeat.
Full Configuration of Login Alerts
Login alerts are the strongest tool for "passive discovery." Get notified immediately via email, SMS, and APP push for each new device or abnormal login.
Path: APP → Account → Security Center → Notification Settings → Login Alerts.
Channel Selection:
- Email Alert: Recommended. Sent to registered email, keeps historical records. Delay 1-3 minutes.
- SMS Alert: Recommended. Sent to bound phone, strong immediacy. International SMS might delay.
- APP Push: Recommended. Arrives instantly, but won't be received if the APP is not online.
- Telegram Bot: New feature in 2024. Pushes to Telegram after binding, instant and reply-able.
Enable all three for a triple-layer notification network.
Alert Content Example:
【Binance】Login Reminder: 2026-03-27 15:42 A new device logged into your account. Device: Windows 10 Chrome, IP: 123.45.67.89, Region: Los Angeles, USA. If this was not you, please click immediately: https://accounts.binance.com/login-not-me
Identifying Fake Alerts: Real alerts have an anti-phishing code, and links point to binance.com and its official subdomains. Fake alerts (phishing) have no anti-phishing code and links point to similar domains (like binance-alert.com). Always verify before clicking.
Advanced Uses of Login Records
Use Case 1: Employee Departure Audit. For corporate accounts, after an employee leaves, besides changing passwords and 2FA, check login records for the last 30 days to identify unauthorized access.
Use Case 2: Judicial Evidence. In account disputes or litigation, login records can serve as evidence (Binance can provide full logs upon request from judicial authorities).
Use Case 3: Compliance Reporting. For financial institutions using Binance, login records are key evidence for audits like SOC 2.
Use Case 4: Automated Monitoring. Quant teams can pull their own login records via API (partially supported) and integrate them into SIEM systems for automatic alerting.
Frequently Asked Questions
Q: How long are login records kept? A: 30 days. Records older than 30 days are automatically cleared.
Q: Why do I have failed login records when I haven't logged in? A: Usually, someone is trying passwords with your email or UID but failing. If the same IP tries more than 50 times, contact support to blacklist that IP.
Q: Why didn't I receive the APP push alert? A: Check APP notification permissions, phone Do Not Disturb mode, and if the APP hasn't been opened for a long time (iOS might kill background processes).
Q: Are login records and device management the same? A: No. Device management shows devices currently logged in (a set), while login records show every login event (a flow). They complement each other.
Q: Why does my own IP show as "Unknown Region"? A: IPv6 addresses or mobile network base station IPs are sometimes not covered by the database and show as "Unknown." Focus on device and time.