Ledger has acknowledged that hackers also gained access to 9500 Phone numbers among other data.
In the world of cryptocurrencies, we have different types of wallets including hardware, desktop, mobile, and web ones. While the latter 3 can be grouped into the software category, the foremost hardware one is unique in that it requires a standalone device that functions as a wallet.
One vendor offering these happens to be Ledger – quite famous in the crypto world and trusted as well. However, as with even the most secure and responsible for companies, data breaches are only a matter of time.
Such was the fate of Ledger too when recently the company has disclosed that it suffered a hack of which it was alerted on 14 July 2020 by a researcher through their bug bounty program.
Despite them immediately taking action and patching the flaw in a short period of time, only a few weeks later on the 25th of July, they found out it had been “further exploited” by the attackers.
The data gained access by attackers includes their e-commerce and marketing database which naturally due to its nature of order confirmations and marketing emails revealed the following records:
- Email addresses – 1 million
- Full names – 9500
- Postal addresses – 9500
- Phone numbers – 9500
- Ordered products – 9500
Elaborating on their response, Ledger stated in a blog post that,
On the 17th of July, we notified the CNIL, the French Data Protection Authority which ensures that data privacy law is applied to the collection, storage, and use of personal data. On the 21st of July, we partnered with Orange Cyberdefense to assess the potential damages of the data breach and identify potential data breaches.
Delving into the details, the team elaborated on how the threat actors were successful due to unauthorized access to an API key. Currently, the key has been disabled but it remains to see how the company implements further measures to prevent such a disclosure in the future.
We take privacy very seriously. Regardless of all we did to avoid and fix this situation, we sincerely apologize for the inconvenience that this matter may cause you.
— Ledger (@Ledger) July 29, 2020
To conclude, this is not the first time that Ledger has been involved in such an incident. The good thing nonetheless is that no payment information and credentials were leaked so the money of all users is safe. Ledger users affected by the breach have also been informed in a timely fashion.
On the other hand, a suggestion for all users of the hardware wallet is to understand that under no circumstances will Ledger or for the matter any cryptocurrency wallet developer will ask you for your secret key or recovery phrase. Therefore, if someone claiming to be from the company does so, they’re a fraud you should be running away from.