TLDR
The Recovery Phrase is more than a password, it's all that is needed for full access to all of your assets and addresses. Support staff will NEVER DM you or ask for your Recovery Phrase, only scammers will. Never share it with anyone! Always have at least one backup of your recovery phrase stored offline (written down on paper or durable material), and kept in a private and safe place.
Introduction
While all transactions and balances are publicly visible on the blockchain, the Recovery Phrase is what allows you to actually transfer assets and use your addresses. It is the master key to your wallets and your funds, so it's essential that you handle it carefully.
Keeping your Recovery Phrase secure
As long as Koala Wallet is installed and set up with your wallets, your Recovery Phrase is securely saved. Make sure it's protected with a PIN that's hard to guess.
Since phones tend to break or get lost, it's essential that you back up your Recovery Phrase. It's recommended to have an offline backup like a piece of paper or durable material. Store it in a secure and private place (or in multiple places). If you have different backups, make sure to note which Phrase belongs to which wallet. Organization is your friend. If you are going to save it electronically, make sure it's encrypted with a strong password and that the file is created in an offline environment.
Do not split the Recovery Phrase into smaller phrases or use complicated obfuscation. Extra complexity often works against you. Saving the Phrase in a screenshot or photo, text file, email, instant messaging or notes app, etc is considered unsafe.
There's no single solution that's ideal for everyone. If you want a deep dive into all aspects of Recovery Phrase security so you can choose the best method for your specific case, read: https://blog.lopp.net/how-to-back-up-a-seed-phrase/
What happens if I share my Recovery Phrase with someone?
All your wallet's assets are mathematically linked to the Recovery Phrase. By sharing it with someone you are giving them full access to your assets even if you don't share your password. Koala Wallet is a non custodial wallet, there are no "accounts". Your app password is a local protection against someone physically accessing your device.
Someone got my Recovery Phrase, what do I do?
You should send all assets to a new recovery phrase as soon as possible, before the other person has a chance to do it.
If you have a second device: 1) install Koala Wallet on the second device, 2) create a new wallet there, and 3) send all assets from the compromised wallet to the new one, 4) once you see your assets on the new device, you can wipe your compromised wallet and restore the new one on the old device.
If you don't have a second device: 1) make sure you have your current Recovery Phrase at hand, 2) wipe your current wallet and create a new one, 3) back up the new wallet's Recovery Phrase and copy your new "receive" address, 4) Wipe the new wallet and restore the compromised one, 5) send your assets to the address you copied previously, 6) Wipe the old wallet again and restore the new one, where you should see the transferred assets.
In any case, you should consider the leaked phrase unsafe and never use it again. If the cause of the recovery phrase leak was malware on a device, do not use it for cryptocurrency or any other sensitive operation until you are sure the malware is removed.
You can read our guides for wiping and restoring in Koala Wallet if you don't know how to do it.