Update (Dec. 31, 12:40 pm UTC)
This article has been updated to include Tangem’s statement to Cointelegraph on the security vulnerability, the fix, and its handling of the situation.
Cryptocurrency Wallet Provider Tangem Fixes Critical Security Vulnerability
Tangem, a cryptocurrency wallet provider, has fixed a critical security vulnerability in its mobile app that collected certain users’ private keys via emails. The fix came after Redditors repeatedly called out Tangem for putting investors’ funds at risk by exposing their private keys on email accounts and to Tangem employees.
Reddit Discussion Raises Concerns
On Dec. 29, a Reddit discussion on Tangem’s operations gained traction, claiming the wallet provider allowed private keys to remain on email histories. The Redditor, u/areklanga, added that Tangem had not provided a "sensible reaction" when the issue was pointed out earlier.
So, user private keys remain in both user email history, Tangem email history, and perhaps in some Tangen ticket tracking system and are available for Tangen employees. Which makes all Tangem users compromised.
They also claimed that the original Reddit post mentioning the glitch "was deleted for some reason." The situation sparked a wave of concerns among the crypto community, with many calling out Tangem for its handling of the issue.
Tangem Acknowledges and Fixes the Vulnerability
Tangem acknowledged the issue on Dec. 30 and said the incident arose from a bug in the mobile app’s log processing, which had been "fully resolved." In a statement sent to Cointelegraph, Tangem provided a breakdown of the situation:
What was the issue? When creating a wallet with a seed phrase, the private key was mistakenly logged in the application’s logs. These logs could later be accessed during interactions with our support team.
Affected Users and Support
According to the company’s Reddit post, the bug affected a small group of users, and they are being contacted proactively for caution and support:
It could have affected a very limited group of users: specifically, those who used a generated seedphrase, then immediately submitted a support request through the app. It does not affect any other users.
In its statement to Cointelegraph, Tangem confirmed that the vulnerability was limited to fewer than 0.1% of users under specific circumstances:
Only users who activated wallets with a seed phrase and contacted support within seven days of activation were potentially affected. Users without seed phrases or those who did not reach out to support through the app were unaffected.
Tangem emphasized that no private keys were compromised, no user funds were lost, and no unauthorized account access occurred:
No private keys were compromised, no user funds were lost, and no unauthorized account access occurred.
Tangem’s Handling of the Situation
While some crypto community members called out Tangem for downplaying the situation, the wallet provider told Cointelegraph that it had communicated directly with affected users and handled the issue transparently:
All logs and attachments sent to its support team were permanently deleted, ensuring no residual data remains.
Enhanced Security Measures
In response to the issue, Tangem has implemented several additional measures, including:
- Enhanced security protocols: To prevent similar vulnerabilities in the future.
- Proactive outreach program: To notify affected users with clear instructions and support.
- Bug bounty program: To identify vulnerabilities in exchange for rewards.
Conclusion
The incident serves as a reminder of the importance of robust security measures in cryptocurrency wallets. Tangem’s prompt response to the issue is commendable, but it also highlights the need for greater transparency and communication among wallet providers and their users.
Related Stories:
- Scammers Share Crypto Keys Aiming to Steal from Wannabe Thieves: Kaspersky
- Story Protocol Helps IP Creators Survive AI Onslaught… and Get Paid in Crypto
