Tangem has identified and promptly resolved a potential security vulnerability affecting a small percentage of wallet users. After a thorough investigation, we can confirm that no private keys were compromised, no user funds were lost, and no accounts were accessed. The issue was identified proactively, and only a very small group of users—fewer than 0.1%—could be potentially impacted under very specific circumstances.
What was the issue?
When activating a wallet with a seed phrase—by generating or importing one—the private key was mistakenly logged in the mobile app's logs. These logs could later be accessed during interactions with our support team.
Who could be potentially affected by this issue?
This issue applies to users who:
- Activated a wallet using a seed phrase AND;
- Contacted our support team through the app within 7 days of activation.
Only a combination of these two scenarios could create a vulnerability. If you generated or imported a seed phrase but did not email support directly from the app within the 7-day log storage period, you could not be affected.
Who is NOT affected?
The majority of Tangem users were not impacted by this issue, including:
- Users who activated the wallet WITHOUT a seed phrase: If you activated your wallet without a seed phrase (seedless), your private keys were generated on the card's chip, and this issue does not affect you in any way. Because of this seedless setup, private keys are not generated on the mobile app and, therefore, cannot be logged.
- Users who did not contact support through the app: Whether your wallet uses a seed phrase or is seedless, you have nothing to worry about if you didn’t contact Tangem support via the app. Moreover, all logs were securely stored for a short time and erased soon after.
Why did this issue arise?
We introduced an advanced NFC logging mechanism to improve app performance on certain devices. However, this mechanism contained a bug that was not detected during initial code reviews or testing.
How Tangem resolved this issue
We took the following steps to get this fixed:
- Bug fixed: The bug was identified and fixed promptly in the latest app versions on the App Store (version 5.19.1) and Google Play (version 5.19.2). It is secure, and private data is no longer logged under any circumstances.
- Logs and info deleted: All logs and attachments sent to our support team have been permanently erased, ensuring no residual data remains.
- Notifying users: An in-app notification will alert all users who activated the wallet with a seed phrase, asking them if they emailed support via the mobile app within 7 days of wallet activation. Those who reply affirmatively will have to follow the recommendations outlined in this post.
Important: Tangem employees will never DM you first on Telegram or other social media platforms.
- Improved security measures: We have implemented additional safeguards and protocols to prevent similar issues in the future.
What should you do if you were affected?
We strongly recommend taking the following steps to ensure maximum security:
- Update the Tangem app to the latest version.
- Transfer your funds out of the affected Tangem Wallet.
- Reset the wallet to factory settings.
- Reactivate the wallet without a seed phrase or create a new seed phrase.
- Transfer your funds back to your newly activated Tangem Wallet.
Bug Bounty program
Tangem runs a bug bounty program to bolster our security efforts. This initiative invites security researchers, ethical hackers, and the wider community to identify vulnerabilities in our systems. We believe that collaborative security efforts are essential to maintaining user trust.
Participants who identify valid vulnerabilities will be eligible for rewards, ensuring that potential risks are mitigated before they can impact users.
Learn more about the bug bounty program.
Final
This incident has no victims—no private keys were compromised, no funds were lost, and no unauthorized access occurred. The potential vulnerability required a specific set of circumstances that applied to a very small number of Tangem users. Moving forward, we remain focused on providing the most secure and user-friendly cold wallet experience.
FAQ
How did the Tangem app create logs?
Logs are generated and sent only when the user manually contacts support through the mobile app. All logs are attached as files that the user can review before sending. App logs have never been automatically generated or transmitted to Tangem.
Has Tangem deleted all log files?
Yes, and we have taken all possible measures to ensure all users are safe.
What if I had a seedless wallet
You have nothing to worry about. This issue does not impact users who activated their Tangem Wallet without a seed phrase.
How do I know if my wallet was activated with a seed phrase?
Open the Tangem mobile app and check the wallet information bar. Wallets activated with a seed phrase have "Seed phrase" inscribed after the number of devices.
How do I know if I was affected?
If you activated your Tangem wallet using a seed phrase and contacted Tangem support through the app within 7 days of activation, you might be affected.
Please check your email history—including drafts—with Tangem Support to verify the dates of your communication in relation to when you activated your wallet with a seed phrase.