Keybase is notifying Android users of a bug in its mobile app that might have unintentionally included the users' private key —used to encrypt conversations and other private data— into the automatic backups created by the Android OS and uploaded on Google's servers.
Keybase, which is a company that provides a wide range of identity proofing and encrypted communication tools, says it fixed the bug and has sent notification emails to users it believes are affected by this issue.
The emails contain instructions on how users could force their device to generate a new private encryption key.
Keybase uses this private key as part of a private-public key pair system to verify a user's identity and encrypt conversations sent through the Keybase chat system from that device.
Issue affects only "early adopters" of the Keybase Android app
According to an email seen by Bleeping Computer, the issue appears to affect only "early adopters" of the Keybase Android app.
Keybase estimates that around 10% of Keybase Android app users are affected by this bug. On its website, the company boasts to service over 205,000 users; albeit is unclear how many of these also use its Android app.
Keybase said that users who back up their Android device through Google Play and users who reused passwords from other accounts or used a weak passphrase are affected.
