TLDR
A Recovery Phrase is more than a password, it's all that is needed for full access to all of your assets and addresses. A private key is similar, but for a single address. Support staff will NEVER DM you or ask for your Recovery Phrase or private keys, only scammers will. Never share them with anyone! Always have at least one backup of them stored offline (written down on paper or durable material), and kept in a private and safe place.
Introduction
While all transactions and balances are publicly visible on the blockchain, a Recovery Phrase and private key are what allow you to actually transfer assets and use your addresses. The Phrase is the master key to all wallets and funds, while a key controls a single address. It's essential that you handle them carefully.
Keeping your Recovery Phrase secure
As long as Koala Wallet is installed and set up with your wallets, your Recovery Phrase is securely saved. Make sure it's protected with a PIN that's hard to guess.
Since phones tend to break or get lost, it's essential that you back up your Recovery Phras. It's recommended to have an offline backup like a piece of paper or durable material. Store it in a secure and private place (or in multiple places). If you have different backups, make sure to note which Phrase belongs to which wallet. Organization is your friend. If you are going to save it electronically, make sure it's encrypted with a strong password and that the file is created in an offline environment.
Do not split the Recovery Phrase into smaller phrases or use complicated obfuscation. Extra complexity often works against you. Saving the Phrase in a screenshot or photo, text file, email, instant messaging or notes app, etc is considered unsafe.
There's no single solution that's ideal for everyone. If you want a deep dive into all aspects of Recovery Phrase security so you can choose the best method for your specific case, read: https://blog.lopp.net/how-to-back-up-a-seed-phrase/
Keeping your Private Key secure
Private keys that are derived from a Recovery Phrase do not need to be individually backed up. As long as the Phrase itself is backed up, the keys can be derived from it. However, single private keys that are separately imported cannot be "merged" into your existing Recovery Phrase, so they must have their own backups. All security tips from this article are valid for both Phrases and keys.
What happens if I share my Recovery Phrase or private key with someone?
All assets in a wallet are mathematically linked to its Recovery Phrase. By sharing the Phrase or private key with someone, you are giving them full access to their associated assets even if you don't share your password. Koala Wallet is a non custodial wallet, there are no "accounts". Your app password is a local protection against someone physically accessing your device, it cannot protect others from sending via their own app configured with your Phrase or key.
Someone got my Recovery Phrase or private key, what do I do?
If a single imported private key was compromised, you can send all funds from the key's associated address to one of your wallets that use a Recovery Phrase. If a Recovery Phrase was compromised, you should send all assets to a new recovery phrase as soon as possible, before the other person has a chance to do it.
If you have a second device: 1) install Koala Wallet on the second device, 2) create a new wallet there, and 3) send all assets from the compromised wallet to the new one, 4) once you see your assets on the new device, you can wipe your compromised wallet and restore the new one on the old device.
If you don't have a second device: 1) make sure you have your current Recovery Phrase at hand, 2) wipe your current wallet and create a new one, 3) back up the new wallet's Recovery Phrase and copy your new "receive" address, 4) Wipe the new wallet and restore the compromised one, 5) send your assets to the address you copied previously, 6) Wipe the old wallet again and restore the new one, where you should see the transferred assets.
In any case, you should consider the leaked phrase unsafe and never use it again. If the cause of the recovery phrase leak was malware on a device, do not use it for cryptocurrency or any other sensitive operation until you are sure the malware is removed.
You can read our guides for wiping and restoring in Koala Wallet if you don't know how to do it.