The private key used to sign EU Digital Covid certificates has been reportedly leaked and is being circulated on messaging apps and online data breach marketplaces.
This week, users reported seeing the private key for EU Digital Covid certificates circulating on messaging apps, like Telegram.
Threat actors who can get their hands on the private key could easily forge digital certificates or QR codes that may then be recognized as ‘legitimate’ by the official government apps.
“We are aware of alleged fraudulent manipulations of EU Covid Certificate QR code and have seen the reports,” an EU spokesperson told BleepingComputer.
Should this be the case, the private key would need to be revoked by the government authorities for the entire EU, thereby invalidating both forged and legitimate COVID certificates.
By the time the situation is resolved and the private keys are reset, holders of legitimate EU Digital Covid certificates will very likely need to generate fresh Green Passes.