-Private key security: The user's private key is regarded as the identity and security credential when using blockchain. Its generated and maintained by the user instead of third-party agencies. An attacker could "recover the user's private key because it does not generate enough randomness during the signature process. Since the blockchain is not dependent on any centralized third-party trusted institutions, if the user's private key is stolen, it is difficult to track the criminal's behaviors and recover the modified blockchain information.
Many security experts wonder if SHA-256, which contains the same mathematical weaknesses as its shorter, very much related SHA-1 precedent, is a concern for bitcoin and blockchain (both usually use SHA-256). The answer is not right now. SHA-256 is strong enough for the foreseeable future. More importantly, since most of the worlds financial transactions and HTTPS transactions are protected by SHA-256, when someone breaks it, well have far bigger things to worry about than just bitcoin and blockchains.
The 'security' of private keys is not only dependent on the hash function used.
The algorithm used to generate the public key from the private key is the ECDSA [1].
Nonetheless both, SHA-256 and ECDSA, are regarded as safe to use.
Up to today there hasn't been found a single SHA-256 collision.
[1]
https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm