Personal information of hundreds of thousands of Ledger users leaked to the public

In July, hardware wallet maker Ledger was attacked by hackers, which put the company’s customer data in the hands of cybercriminals.

A little later it became known that the Ledger management would not pay compensation to those affected in the incident. Now the story has received a new round: hackers have posted the stolen information in the public domain on one of the forums.

The situation is not developing very pleasantly. As the company representatives noted in the summer, the hackers did not reveal all the addresses and phone numbers of customers, but only about 9,500 of them. Now it turned out that hundreds of thousands of people have become victims of data disclosure – and this already raises questions at least to the early comments of the company’s employees.

Accordingly, now anyone can get access to the company’s user database, who most likely have a hardware wallet at their disposal.

This creates risks for the physical security of cryptocurrency owners. At the same time, the head of Ledger claims that the likelihood of this is very small. Most likely, scammers will confine themselves exclusively to sending letters – albeit not of the most pleasant content.

And they are already doing it.

Data leak from Ledger

The Raidforums posted the names, physical addresses, and phone numbers of a huge number of Ledger customers. According to preliminary estimates, this is more than a million email addresses and more than 270 thousand physical addresses of those who have ever used the company’s services and ordered devices in their city.

Forum post from user Burgulema111 with leaked Ledger databases

Haveibeenpwned has already marked more than 69 percent of email addresses as compromised since the hacker attack itself.

Representatives of Ledger are «aware» of the incident, which was announced on the official Twitter account of the company. They are still in the process of «confirming» that the published information does indeed relate to their e-commerce database, which suffered a hack in late July.

Ledger also posted an apology to their customers.

To say that we sincerely regret this situation would be a great understatement. We take privacy very seriously. Avoiding these situations is a top priority for our entire company, and we’ve learned valuable lessons from this situation that will make Ledger even more secure.

As a reminder, the hacker attack targeted the so-called Ledger e-commerce database. This means that only contact information of customers and details of orders for the products of the wallet manufacturer were in the public domain. At the same time, financial information, wallet recovery phrases, private keys, or the like are not available to hackers. Accordingly, users’ funds are not threatened until they share their 24-word seed phrase with someone. This, of course, cannot be done.

The attackers were able to gain access to the database using the now disabled API key.

As you can see, any financial information is not available to hackers, but this does not mean that in the future, affected Ledger users cannot be the next victims of cybercriminals. The company noted that the leaked contact information will be actively used in phishing attacks. Fraudsters use email addresses to send fake emails, claiming to be from Ledger, asking them to reveal their passwords, private keys, or other sensitive data. If you receive one of these letters, ignore the requirements and delete it.

Officials from Ledger or any other service will never ask you to disclose something like this. We also strongly recommend that you do not download any suspicious files or click on suspicious links.

We have already encountered several emails from scammers reporting a sudden «blockchain address blocking». To get rid of problems, they ask you to confirm your personal data by clicking on the specified link. We remind you once again that you cannot follow any links – for your own safety.

Some users are less fortunate. In particular, on Reddit they already talked about receiving a letter in which the author demands money. The latter claims that he lives in the same city, therefore, in theory, he can “come to visit”. To prevent this from happening, the scammer asks to send $ 500 to his wallet. Otherwise, he promises to use violence.

As the head of Ledger Pascal Gaultier noted the day before, the company will not compensate users for damage. Here is a quote from Decrypt.

When a data leak of this magnitude occurs for such a small company, we are not reimbursing the millions of users of all devices, because it is simply impossible. It would just kill the company. Instead, we prefer to look to the future. Ledger is now investing a lot of time and money in providing a new level of reliability and products that will provide more security for our users.

He also said that scammers with databases in their hands are unlikely toбnot drive home to hardware wallet users. According to Pascal, everything will end up exclusively with digital extortion.

This is just an online scam to scare you. This is exactly what works for attackers. In fact, arriving at someone’s home is very expensive.

The event was commented on by the representative of the Casa project Jameson Lopp.

Hacking was inevitable. In essence, information tends to be free. This is a recurring problem that you see on any platform that stores large amounts of information – and especially valuable personal identification. There is no reason to expect such things to fizzle out.

Lopp also believes that hackers can indeed physically influence cryptocurrency holders. However, to do this, they will first of all analyze the condition of individual people for the presence of apartments and expensive cars. That is, ordinary people should not wait for the criminals to arrive at their home simply because of the purchase of a ledger, Jameson said.

Lopp also believes that users should not blame the company for losing data, because they themselves shared it. If people wanted to remain anonymous, they should use parcel machines or even company addresses to receive parcels.

It’s funny enough that people are demanding their money back because of the situation. There is nothing wrong with Ledger products. As far as we know, their devices are still protected. The safety issue is related to the people who use their products. But this is a completely different problem.

We think the situation turned out to be unpleasant anyway. Still, hardly anyone wants to see their personal data in the public domain, especially if this person bought a hardware wallet for greater security of their own funds.

On the other hand, such leaks happen all the time, and besides, finding someone on the Internet, if necessary, is not difficult anyway. Therefore, now, first of all, it is worth taking care of Internet security. Again, we strongly recommend not to follow any links, keep your own 24-word seed phrase, and ignore any threats in emails.

Leave a Reply

Your email address will not be published. Required fields are marked *