Security Risks Plagued Tangem Users
Crypto wallet provider Tangem recently addressed a critical security flaw in its mobile app that inadvertently exposed users' private keys during email interactions with customer support.
The vulnerability, first brought to light in a Reddit post by user "u/areklanga" on 29 December, revealed that private keys were being stored in email histories, potentially accessible to Tangem employees.
The user stated:
“So, user private keys remain in both user email history, Tangem email history, and perhaps in some Tangem ticket tracking system and are available for Tangen employees. Which makes all Tangem users compromised.”
Following intense scrutiny from the community, Tangem acknowledged the issue on 30 December, attributing it to a bug in the app's log processing function.
The company assured users that the bug had been "fully resolved" and emphasized its limited scope, affecting only those who generated a seed phrase and immediately contacted support.
Tangem said in a statement on Reddit:
“When creating a wallet with a seed phrase, the private key was mistakenly logged in the application's logs. These logs could later be accessed during interactions with our support team.”
Tangem also confirmed that all affected logs had been deleted.
While the swift resolution offers some reassurance, the incident has ignited broader concerns about security practices and transparency within the crypto wallet space, challenging Tangem to rebuild trust among its users.
Tangem Downplaying the Situation According to Users
Despite Tangem's swift action to resolve the security vulnerability, concerns have emerged within the crypto community about the company's approach to communication.
Critics pointed to the absence of public announcements on Tangem's official social media channels, leaving many users unaware of the issue.
ALERT: There was a security alert on the Tangem wallet, but before people loose their minds and say Tangem wallets are not secure...these are the facts.
NOTE: This issue does not affect users who created their own seed phrase and imported it during the wallet setup. This means… pic.twitter.com/HqAt1EMcmS
— 💙Grapedrop (@RealGrapedrop) January 1, 2025
One Reddit user noted:
“I find it frustrating how Tangem is downplaying the scope of this event. While they claim that only a "very small group of users" sent an email with their keys, how many users had their keys written in plain text to their phones in a log file?”
As of now, Tangem has yet to issue a formal statement on its social platforms regarding the incident.
However, they did respond to a user's comment on X (formerly known as Twitter).
Tangem has identified and promptly resolved a potential security vulnerability affecting a small percentage of wallet users. After a thorough investigation, we can confirm that no private keys were compromised, no user funds were lost, and no accounts were accessed. The issue was…
— Tangem (@Tangem) January 1, 2025
In the meantime, the company has urged users to update their mobile apps to the latest version to ensure protection against the identified risk.
The situation raises important questions about the balance between transparency and timely action in maintaining trust within the crypto space.