Tangem, a cryptocurrency wallet provider, has recently come under scrutiny after discovering a significant security flaw in its mobile app that inadvertently captured users’ private keys during email interactions. The issue appears to have stemmed from internal bugs that logged sensitive information, raising alarms among users concerned about the safety of their digital assets.
The vulnerability was first highlighted in a December 29 post on Reddit, where users expressed apprehension over the potential security risks associated with their private keys being stored in email histories. One user, posting under the handle “u/areklanga,” brought attention to the fact that these private keys could be accessible to Tangem employees, thereby compromising user security. “So, user private keys remain in both user email history, Tangem email history, and perhaps in some Tangem ticket tracking system,” the user expressed, illustrating the gravity of the situation.
Adding to the controversy, some users noted that the initial Reddit post detailing the glitch seemed to have been mysteriously deleted, leading to further concerns regarding Tangem’s transparency. In response to the growing outcry, users quickly reached out to Tangem’s support team to express their fears.
By December 30, Tangem acknowledged the issue, attributing it to a bug in the mobile app’s log processing functionality. The company released a statement indicating that the bug was resolved, explaining, “When creating a wallet with a seed phrase, the private key was mistakenly logged in the application’s logs. These logs could later be accessed during interactions with our support team.” Tangem reassured users that the vulnerability was limited to those who had generated a seed phrase and subsequently initiated a support request. They also noted that all logs in question had been deleted from the support team’s records.
Despite this swift acknowledgment, some members of the cryptocurrency community were critical of Tangem’s communication strategy. Users expressed frustration over the lack of a public announcement regarding the vulnerability on the company’s official social media platforms. One Reddit user lamented, “I find it frustrating how Tangem is downplaying the scope of this event,” questioning how many users might have unknowingly had their private keys written in plain text.
As of December 31, Tangem had yet to make any formal statements on their official channels concerning the security risk. To preempt any further complications, the company urged all users to update their mobile applications to the latest version, emphasizing the importance of maintaining secure practices in the rapidly evolving cryptocurrency landscape.
