Tangem Addresses Security Flaw After Community Backlash

Tangem, a crypto wallet provider, recently identified a significant security risk in its mobile app that inadvertently collected users’ private keys during email interactions.

This fix followed repeated warnings from members who expressed concerns about the potential security risks. They indicated that users’ private keys were collected via email interactions within the Tangem mobile app.

Tangem Users Face Critical Security Risks

On December 29, a discussion on Reddit highlighted a potential security vulnerability in Tangem’s wallet. Users revealed that private keys were being stored in email histories, potentially exposing them to Tangem employees.

A Reddit user known as “u/areklanga” exposed the vulnerability in a forum, sparking community concern.

“So, user private keys remain in both user email history, Tangem email history, and perhaps in some Tangem ticket tracking system and are available for Tangen employees. Which makes all Tangem users compromised,” the user said.

Users also noted that the original Reddit post detailing the glitch was mysteriously deleted, raising suspicions about Tangem’s initial response. As soon as these concerns were validated, users flooded Tangem employees and support via email.

Meanwhile, on December 30, Tangem acknowledged the issue and attributed it to a bug within the mobile app’s log processing function. They issued a statement confirming that they “fully resolved” the bug.

“When creating a wallet with a seed phrase, the private key was mistakenly logged in the application’s logs. These logs could later be accessed during interactions with our support team,” Tangem said in a statement on Reddit.

Tangem clarified that the bug had a limited impact. It affected only users who generated a seed phrase and immediately made a support request. It added that Tangem deleted all of the logs received by the support team. 

Users Accuse Tangem of Downplaying Situation

While Tangem promptly addressed the vulnerability, some members of the crypto community expressed concerns about the company’s communication strategy. Specifically, they criticized the lack of public announcements regarding the vulnerability on Tangem’s official social media platforms.

“I find it frustrating how Tangem is downplaying the scope of this event. While they claim that only a “very small group of users” sent an email with their keys, how many users had their keys written in plain text to their phones in a log file?” said one Reddit user.

At the time of publication on December 31, Tangem had not yet made any official announcements regarding the security risk on its social media channels.

Tangem advised all users to immediately update their mobile applications to the latest version to mitigate potential risks associated with the vulnerability.