Tangem Fixes Bug Exposing User Seed Phrases Via Email

Update (Dec. 31, 12:40 pm UTC): This article has been updated to include Tangem’s statement to Cointelegraph on the security vulnerability, the fix and its handling of the situation.

In a recent incident, cryptocurrency wallet provider Tangem was found to have exposed certain users’ private keys via emails due to a critical security vulnerability in its mobile app. The company has since fixed the issue after Redditors repeatedly brought it to their attention.

Table of Contents

The Security Vulnerability

On December 29, a Reddit discussion on Tangem’s operations gained traction. A Redditor named u/areklanga claimed that Tangem allowed private keys to remain on email histories, making all Tangem users potentially compromised. The user also alleged that the original Reddit post mentioning the glitch was deleted for some reason.

Tangem’s Response

Tangem acknowledged the issue on December 30 and stated that it arose from a bug in the mobile app’s log processing, which had been "fully resolved." In a breakdown of the situation, Tangem explained:

What was the issue? When creating a wallet with a seed phrase, the private key was mistakenly logged in the application’s logs. These logs could later be accessed during interactions with our support team.

The company also emphasized that the bug affected only a small group of users, specifically those who used a generated seed phrase and contacted support within seven days of activation. Users without seed phrases or those who did not reach out to support through the app were unaffected.

Limited Impact

According to Tangem’s statement to Cointelegraph, the vulnerability was limited to fewer than 0.1% of users under specific circumstances. Only users who activated wallets with a seed phrase and contacted support within seven days of activation were potentially affected. Users without seed phrases or those who did not reach out to support through the app were unaffected.

No Private Keys Compromised

Tangem assured that no private keys were compromised, no user funds were lost, and no unauthorized account access occurred due to the vulnerability.

Enhanced Security Measures

In response to the issue, Tangem has implemented several additional measures, including:

Enhanced security protocols: To prevent similar vulnerabilities in the future.
Proactive outreach program: To notify affected users with clear instructions and support.
Bug bounty program: To identify vulnerabilities in exchange for rewards.

Handling of the Situation

While Tangem pushed out an update on December 30 to prevent further leaks of seed phrases, some crypto community members called out the wallet provider’s muted response. However, Tangem told Cointelegraph that it had communicated directly with affected users and handled the issue transparently.

Recommendations for Users

All Tangem users are advised to immediately update their mobile applications to avoid potential seed phrase leaks. This will ensure that no residual data remains and prevent further vulnerabilities in the future.

UK crypto regulations will introduce stablecoins and staking services.

YouTube’s former CEO Susan Wojcicki passed away at age 56.

RightHub aims to become your central hub for managing intellectual property.

Vanguard downgrades valuation of Indian ride-hailing giant Ola by 52%.

Do Kwon appears before US judge, pleading not guilty