News

MetaMask Google Login Raises Risk of Cloud-Stored Wallet Keys

By

Shweta Chakrawarty

Shweta Chakrawarty

MetaMask′s new Google/iCloud login option allows users to sync encrypted private keys to the cloud, sparking security concerns.

MetaMask Google Login Raises Risk of Cloud-Stored Wallet Keys

Quick Take

Summary is AI generated, newsroom reviewed.

  • MetaMask introduced a feature allowing users to log in with their Google or iCloud credentials and back up encrypted wallet data (including private keys) to the cloud.

  • The feature was flagged by Cos of SlowMist as a major security risk, as a compromise of the cloud account could lead to the loss of all linked wallets.

  • The system encrypts the mnemonic file, with the wallet unlock password serving as the decryption key.

  • The development highlights the tension between convenience for new users and the decentralization/security principles prized by seasoned crypto investors.

  • Security experts continue to emphasize that traditional offline backups (writing down the seed phrase) remain the safest option.

MetaMask latest login option with Google accounts is stirring strong concerns in the crypto community. While the update offers convenience, users warn that the feature may put private wallet keys at risk if hackers ever compromise cloud accounts.

The Discovery That Sparked Concerns

The alarm was raised by Cos, founder of blockchain security firm SlowMist. In a post on X, he shared that MetaMask now allows users to log in with Google and automatically sync wallet data. This includes imported mnemonic phrases and private keys to the cloud. Cos admitted that the feature caught him off guard, calling it an unexpected security risk.

He explained that if a Google account is hacked. The attacker could potentially wipe out multiple wallets linked through MetaMask in one strike. His warning resonated across the crypto community. As many investors rely on MetaMask to manage their Ethereum based assets. With billions of dollars flowing through self-custody wallets. Even the smallest flaw could open doors to devastating losses.

How the System Works

MetaMask designed its new login feature for ease of use. Instead of creating a wallet from scratch, users can initialize one using Google or iCloud credentials. The wallet then encrypts and backs up the mnemonic file in the chosen cloud service. The wallet unlock password serves as the decryption key. It allows users to export and manage backups themselves. 

On paper, this makes onboarding easier for newcomers who struggle with private key storage. Other wallet providers are also experimenting with similar methods. For example, Coinbase’s Base wallet uses Passkeys to generate and store credentials. The system saves these in iCloud Keychain by default. While this reduces friction. It also shifts security responsibilities onto tech giants like Apple and Google.

Community Reactions

The news triggered a wave of debate online. Some users pointed out that local offline backups remain the safest option. As the system does not expose them to cloud hacks or phishing attempts. One user bluntly commented that relying on big tech firms for Web3 security feels counterintuitive. Since the system meant decentralization to reduce such dependencies. Cos responded to some of the discussions, clarifying that MetaMask approach has nothing to do with multi-party computation (MPC). 

Instead, it’s a straightforward system where the wallet ties encrypted files to cloud accounts. Others raised questions about limitations. Such as whether the feature supports only Ethereum wallets or if it could extend to Bitcoin. Cos replied that the system can technically support both wallet types. But he acknowledged gaps in how the system handles staked assets like ETH.

Balancing Convenience and Security

The situation highlights an ongoing tension in crypto. It balances ease of use with true decentralization and security. For newcomers, cloud integration lowers barriers and reduces the chance of losing wallet access. But for seasoned users, the idea of storing private keys in Google or Apple’s ecosystem feels like a dangerous compromise. 

Cos ended his thread with a reminder for the community: don’t skip traditional backups. Writing down seed phrases and keeping them offline may feel inconvenient. But it remains the gold standard for protecting funds. As more wallets integrate cloud logins, investors will need to weigh convenience against risk. Because in crypto, the simplest shortcut can sometimes lead to the biggest losses.

Google News Icon

Follow us on Google News

Get the latest crypto insights and updates.

Follow