SecureRandom() has a bug in it and doesn’t generate really secure keys.
How is it related to cryptocurrencies?
There are numerous browser-based cryptocurrency products that still use popular
Deep technical explanation.
What to do now?
Actually, it’s not much to do about it. Like all good cryptocurrency bugs, this one isn’t new at all — here’s Greg Maxwell talking about it nearly three years ago (51:00 on):
This problem affects you if you:
- use old cryptocurrency addresses
- BitAddress pre-2013;
- bitcoinjs before 2014;
- current software that uses outdated repos from Github.
What to do:
- move your funds out of those addresses
- don’t use them again
This will reduce the risk of your keys being cracked but, in general, this information should make you stop thinking that it will take ages for modern crypto keys to get cracked. It turns out, that it might be cracked in a week.
Some interesting facts: