Cryptocurrency wallet provider Tangem fixed a critical security vulnerability on its mobile app that collected certain users’ private keys via emails.
The fix came after Redditors repeatedly called out Tangem for putting investors’ funds at risk by exposing their private keys on email accounts and to Tangem employees.
On Dec. 29, a Reddit discussion on Tangem’s operations gained traction; it claimed the wallet provider allowed private keys to remain on email histories. The Redditor, u/areklanga, added that Tangem had not provided a “sensible reaction” when the issue was pointed out earlier.
“So, user private keys remain in both user email history, Tangem email history, and perhaps in some Tangem ticket tracking system and are available for Tangen employees. Which makes all Tangem users compromized.”
They also claimed that the original Reddit post mentioning the glitch “was deleted for some reason.”
Tangem issued a timely bug fix
Tangem acknowledged the issue on Dec. 30 and said the incident arose from a bug in the mobile app’s log processing, which had been “fully resolved.” Tangem also provided a breakdown of the situation:
“What was the issue? When creating a wallet with a seed phrase, the private key was mistakenly logged in the application’s logs. These logs could later be accessed during interactions with our support team.”
Tangem’s official website, which logs all version updates of its mobile application, did not mention the details about the Dec. 30 update.
Tangem also confirmed in its Reddit response that “all logs and attachments sent to its support team were permanently deleted, ensuring no residual data remains.”
Related: Scammers share crypto keys aiming to steal from wannabe thieves: Kaspersky
Tangem accused of downplaying the situation
According to the company, the bug affected a small group of users and they are being contacted proactively for caution and support:
“It could have affected a very limited group of users: specifically, those who used a generated seedphrase, then immediately submitted a support request through the app. It does not affect any other users.”
While Tangem pushed out an update on Dec. 30 to prevent further leaks of seed phrases, some crypto community members called out the wallet provider’s muted response. Tangem did not immediately respond to Cointelegraph’s request for comment.
Tangem had not made any announcements on its social media channels, Twitter, Discord or Telegram, as of Dec. 31. However, all Tangem users are advised to immediately update their mobile applications to avoid potential seed phrase leaks.
Magazine: Story Protocol helps IP creators survive AI onslaught… and get paid in crypto
