The problem in question occurs after the security key powers up. According to Yubico, a bug keeps "some predictable content" inside the device's data buffer that could impact the randomness of the keys generated. Security keys with ECDSA signatures are in particular danger. A total of 80 of the 256 bits generated by the key remain static, meaning an attacker who gains access to several signatures could recreate the private key.

Fortunately, any affected customers will receive a replacement key. This isn't the first time a security company has issued a similar recall. Google earlier this year recalled some Titan security keys after finding a Bluetooth vulnerability.