MetaMask’s latest login option using Google accounts has sparked strong concerns in the crypto community. The update provides something useful, but users warn that features could put private wallet keys at risk if hackers compromise their cloud accounts.
Well, that surprised me so much. I didn’t think that MetaMask, logged in with a Google account, would also sync manually import mnemonic/private keys from other wallets… If your Google account goes down, it’s really useless. This risk is too unexpected @Metamask https://t.co/yttmgfebab pic.twitter.com/zxosovi0t9
– cos (cosine)😶🌫️ (@evilcos) October 3, 2025
Discoveries that raised concerns
The alarm was raised by Cos, the founder of blockchain security company Slowmist. In X’s post, he shared that Metamask allows users to log in to Google and automatically sync wallet data. This includes the imported mnemonic phrases and a private key to the cloud. COS admitted that the feature caught him off guard and called him an unexpected security risk.
He explained if his Google account has been hacked. An attacker could wipe multiple wallets linked via metamask in one strike. His warnings resonated throughout the crypto community. Many investors rely on MetaMask to manage their Ethereum-based assets. Billions of dollars are flowing from independent wallets. Even the smallest defects can open the door to catastrophic losses.
How the system works
Metamask has designed a new login feature to make it easier to use. Instead of creating a wallet from scratch, users can initialize it using Google or iCloud credentials. The wallet then encrypts and backs up mnemonic files for the selected cloud service. The unlock password for the wallet acts as a decryption key. This allows users to export and manage backups themselves.
On paper, this makes onboarding easier for newcomers struggling with secret key storage. Other wallet providers are experimenting with similar methods. For example, Coinbase’s base wallet uses PassKeys to generate and store credentials. The system stores these in the iCloud keychain by default. This reduces friction. Additionally, security responsibilities will be transferred to high-tech giants such as Apple and Google.
Community Response
The news sparked a wave of debate online. Some users have pointed out that local offline backups are still the safest option. This is because the system does not expose them to cloud hacks or phishing attempts. One user candidly commented that he felt that relying on large tech companies for web3 security was counterintuitive. This is because this system means decentralization to reduce such dependencies. COS responded to some arguments and made it clear that the metamask approach has nothing to do with multi-party calculations (MPC).
Instead, it’s a simple system where wallets tie encrypted files into cloud accounts. Others raised questions about the restrictions. Like whether this feature only supports Ethereum wallets, or whether it can be expanded to Bitcoin. COS responded that the system could technically support both wallet types. However, he acknowledged a gap in how the system handles betting assets like ETH.
Balance of convenience and security
The situation emphasizes ongoing tensions in the code. It balances true decentralization and ease of use with security. For newcomers, cloud integration lowers barriers and reduces the chances of losing wallet access. However, for veteran users, the idea of storing private keys in the Google and Apple ecosystem feels like a dangerous compromise.
COS ended the thread with a reminder to the community. Do not skip traditional backups. It may seem inconvenient to write down seed phrases and keep them offline. But it remains the gold standard for protecting funds. As more wallets integrate cloud logins, investors need to weigh convenience against risk. This is because in ciphers, the simplest shortcuts can lead to the greatest loss.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
