UNKNOWN

JUNE 2020

GLOBAL

LEDGER

DESCRIPTION OF EVENTS

"Based in France, Ledger is the largest cryptocurrency hardware wallet company." "Ledger is a hardware cryptocurrency wallet that is used to store, manage, and sell cryptocurrency. The funds held in these wallets are secured using a 24-word recovery phrase and an optional secret passphrase that only the owner knows."

 

"Ledger had allowed a marketing company (an unknown partner) access to its e-commerce and marketing database through an API."

 

“The API key misconfiguration at issue has been running since Aug 9, 2018. Based on the information we have, we believe it was discovered and exploited from April 2020 to June 28, 2020,” Ledger reported

 

"[O]n the 25th of June 2020, an unauthorized third party accessed [Ledger's] e-commerce and marketing database – used to send order confirmations and promotional emails – consisting mostly of email addresses, but with a subset including also contact and order details such as first and last name, postal address, email address and phone number."

 

"Ledger found out about the data breach on Jul. 14 during a bug bounty program." "On the 14th of July 2020, a researcher participating in our bounty program made us aware of a potential data breach on the Ledger website. We immediately fixed this breach after receiving the researcher’s report and underwent an internal investigation." "The API key has now been deactivated and is no longer accessible."

 

"A week after patching the breach, we discovered It had [already been] exploited." "Even though the company fixed the issue immediately, it was too late." "Ledger publicly revealed that customer information had been compromised. At the time, the company estimated 9,500 customers had been affected by the hack." "At the time of the incident, in July, we engaged an external security organisation to conduct a forensic review of the logs available. This review of the logs enabled us to confirm that approximately 1 million email addresses had been stolen as well as 9,532 more detailed personal information (postal addresses, name, surname and phone number) that we were able to specifically identify."

 

"On the 17th of July, we notified the CNIL, the French Data Protection Authority which ensures that data privacy law is applied to the collection, storage, and use of personal data. On the 21st of July, we partnered with Orange Cyberdefense to assess the potential damages of the data breach and identify potential data breaches."

 

Alon Gal, Co-Founder & CTO at security firm Hudson Rock said, “This leak holds major risk to the people affected by it. Individuals who purchased a Ledger tend to have high net worth in cryptocurrencies and will now be subject to both cyber harassments as well as physical harassments on a larger scale than experienced before.”

 

"[C]ybersecurity analysts believe the information was already being sold privately, starting in August 2020."

 

"Since October 2020, many Ledger users have been targeted by elaborate phishing scams seeking to gain access to their 24-word recovery phrases, which would allow hackers to then steal their cryptocurrency assets. (The 24-word recovery phrase was not compromised in the earlier data breach.)" "Ledger users have already been bombarded with phishing emails pretending to be Ledger data breach disclosures. These emails tell the user to download a new version of Ledger Live to secure their cryptocurrency assets with a new security PIN."

 

"If you're receiving this email, you're affected by the breach. We have no evidence of user wallets being affected, but it's smart to place security over convenience. In order to make sure your assets are safe, install the latest version of Ledger Live and follow the instructions to secure your wallet with a new PIN."

 

"When users download and install the fake Ledger Live app, they will be presented with prompts asking for the Ledger owner's secret recovery phrase and passphrase. This information is then sent to the attackers, who can use the recovery phrase to steal the victim's cryptocurrency assets."

 

"Ledger users’ can expect an uptick in both the number of phishing attempts and their level of complexity. At least one customer has been the target of multiple “scareware” attacks, where threat actors use the compromised information to generate shock and anxiety in their targets, as to more easily manipulate them. This user shared on social media the template of a threatening email he received, where the sender threatened physical harm to the user and his property unless a financial demand was met."

 

"On December 21st, a threat actor shared both sets of stolen information on a well-known hacker forum for free." "[I]n December 2020, a data dump “exposed 1 million email addresses and 272,000 names, mailing addresses and phone numbers belonging to people who had ordered Ledger’s devices, which store the private keys for cryptocurrency wallets,” as CoinDesk reported. The number of people affected was much higher than the original estimate of 9,500."

 

"Those [individuals at Ledger] were telling people with a target on their back in support requests that they were not affected in this breach yet they actually were. So not only they lied about the amount of leaked information, they were still lying about it even after. Reminder: bitcoin meant to increase privacy, but seems like one of the largest and 'secure' bitcoin players don't give [much care] about the way they store data."

 

"Today we were alerted to the dump of the contents of a Ledger customer database on Raidforum. We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020." "The database publicly released yesterday shows that a larger subset of detailed information has been leaked, approximately 272,000 detailed information such as postal address, last name, first name and telephone number of our customers. These details are not available in the logs that we were able to analyse. Transparency in our operations and communications has always been a priority. This has not changed."

 

"On Dec. 23, 2020, Ledger was notified by Shopify of an incident “involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported customer transactional records in April and June 2020,” according to a blog post."

 

"In conjunction with forensic firm Orange Cyberdefense, Ledger examined the 292,000 stolen data records. It found that while the database is quite similar to the personal information exposed in the previous attack, there were 20,000 new customer records compromised."

 

"The 'All Emails (Subscription).txt' text file contains the email addresses of 1,075,382 people who subscribed to the Ledger newsletter. The 'Ledger Orders (Buyers) only.txt' is more sensitive as it contains the names, mailing addresses, and phone numbers for 272,853 people who purchased a Ledger device."

 

"Matt Johnson, Ledger's new Chief Information Security Officer (CISO), had no choice but to hit the ground not just running but, well, sprinting. His first week of work entailed scrutinizing the fallout from an extensive data dump of customer information, among other areas such as data security and increased attacks that would come as a byproduct of bitcoin pumping."

 

"First and foremost, in a blog post, Ledger reiterated the company will never ask customers for their 24 recovery words, which can be used to access bitcoin and crypto wallets. They also stressed that as long as customers had not shared these words, their Ledger hardware devices were secure."

 

"As the leak’s breadth is becoming better known, affected clients are now reporting ransom threats via email. As Decrypt reported, an attacker has identified one client by their crypto holdings and home address. The threat demands the victim pay them $500 or face physical violence."

 

"Hello [name], I have recently became aware of your Cryptocurrency holdings, I also live in [city] and I also know you live at [address]. I'm not afraid to invade your home, I don't want to make this any harder than it has to be."

 

"I'm offering you $500 (shouldn't be much to you considering the recent pump) to leave you alone. If not, I'm not afraid to show up when you least expect it and see how my wrench works against your face, or maybe even wait for you to leave your home and take your belongings whilst you're not there to call the police. I'll be waiting for the money, and watching you until then."

 

“Even though it’s a possibility and we don’t deny it’s a possibility, it’s not the highest possibility that this will happen. The database has been out since June and no-one has [ever] reported any attack of this sort.”

 

"Many people who have had their stolen have received legit-looking emails asking them to download a new version of the Ledger software."

 

“We are announcing changes in the way Ledger will collect and handle customer data: keeping personal data for as short a time as legally possible, minimizing the display of personal data in emails, moving needed data in a further segregated environment as soon as possible, and creating a secure channel for communicating 1:1 with our customers via Ledger Live,” the authors, including new CISO Matt Johnson, wrote.

 

"In the aftermath of the largest hack in company history, and a little over a week after Johnson started, the hardware wallet company Ledger has announced its first measures to address the data breach and ensure such a hack doesn’t happen again."

 

"These include working with blockchain analytics firm Chainalysis to hunt the hackers, offering a 10 bitcoin (BTC, +4.49%) bounty for information leading to the hacker’s arrest and creating a comprehensive review of what information the company holds onto, where it’s stored and how long it’s retained."

 

"We are extremely regretful for this incident. We take privacy very seriously, we discovered this issue thanks to our own bug bounty program, we fixed it immediately. But regardless of all what we did to avoid and fix this situation, we sincerely apologize for the inconvenience that this matter may cause you."

 

"Ledger’s CEO recently said that the company has no intention of reimbursing customers who have been impacted by the data breach."

 

"To put things in perspective and not to undermine our responsibility, it has become clear that we have entered an era in which cyberattacks will occur more and more; they have been at an all time high in 2020 (World’s Biggest Data Breaches & Hacks — Information is Beautiful). It is a growing global problem we are all facing with digital acceleration. Investing in the future of security has become more necessary and urgent than ever. That’s precisely Ledger’s mission: we continuously invest to improve security standards. That’s also why we won’t be refunding customers like some have suggested – instead, the best and most sincere thing we can offer is our dedication to being better and making these investments to continuously upgrade the security of the products we make available for you."

Ledger is one of the leading hardware wallet manufacturers in the world, based in France. On June 2020, a significant portion of their customer base private information was breached, including home addresses, phone numbers, and emails. This information was sold online and later published for free. Affected users have been targeted with multiple phishing attacks, extortion threats, and even fake wallets. No effort has been made to recover funds for affected users who may have fallen victim to these attacks that we could find, although much effort was made to increase education.

HOW COULD THIS HAVE BEEN PREVENTED?

Never respond to an email or communication received from a company without first verifying it with them through their official channels. Always exercise extreme caution when handling the seed phrase of a wallet. Use a separate wallet with a small balance only for any new setups. Keep the majority of funds offline and don't interact with that wallet except to withdraw them. Set up a multi-sig wallet if possible.

 

Check Our Framework For Safe Secure Exchange Platforms

CoinMarketCap: No Breach Despite 3.1M Email Address Leak (Jan 25)
3 Million CoinMarketCap Email Addresses Have Leaked - Crypto Briefing (Jan 26)
Ledger Breach Vastly Underestimated, 270,000 Clients Data Leaked - Crypto Briefing (Jan 30)
Ledger Adds Bitcoin Bounty and New Data Security After Hack - CoinDesk (Jan 31)
Ledger Cryptocurrency Wallet Data Breach Investigation | Migliaccio & Rathod LLP (Jan 31)
Addressing the July 2020 e-commerce and marketing data breach -- A Message From Ledger’s Leadership | Ledger (Jan 31)
Bug Bounty Program | Donjon (Jan 31)
@Ledger Twitter (Jan 31)
@btcriku Twitter (Jan 31)
Ledger Won’t Reimburse Users After Major Data Hack - Decrypt (Jan 31)
How to Handle the Ledger Hack & Data Breach - Naray Law (Jan 31)
Message by LEDGER’s CEO - Update on the July data breach. Despite the leak, your crypto assets are safe. | Ledger (Jan 31)
Ledger Faces Class-Action Lawsuit for 2020 Data Breach (Jan 31)
Physical addresses of 270K Ledger owners leaked on hacker forum (Jan 31)
After Ledger Hack, Who Can You Trust For Bitcoin Storage? (Jan 31)
6 Ways to Face the Data Breach | Ledger (Jan 31)
Ledger Hack: Who is Ledger? What Happened? Does the Ledger data breach affect everyone? - YouTube (Jan 31)
Ledger Hack: Am I Affected? Find Out if YOU or a Friend are Affected by the Ledger Data Breach - YouTube (Jan 31)
https://www.cryptovantage.com/news/is-ledger-still-safe-everything-we-learned-from-last-years-hack/ (Jan 31)
Class action lawsuit filed against crypto wallet firm Ledger, Shopify over 2020 customer data breach (Jan 31)
Ledger customers exposed as personal data is leaked (Jan 31)
Fake data breach alerts used to steal Ledger cryptocurrency wallets (Jan 31)
Ledger Live : Most trusted & secure crypto wallet | Ledger (Feb 13)
Ledger Customers Targeted by ‘Convincing’ Phishing Attack - CoinDesk (Feb 27)
Incident Update - Shopify Community  (Feb 27)
Update: Efforts to Protect Your Data and Prosecute The Scammers | Ledger (Feb 27)
Ledger data leak: A ‘simple mistake’ exposed 270K crypto wallet buyers (Feb 27)
Ledger Hack Victim Scam Details - Bitcoin Magazine: Bitcoin News, Articles, Charts, and Guides (Jan 31)
Life as a “Ledger” Wallet Data Breach Victim (Feb 27)
@ledger Twitter (Feb 27)
Threat Actors Target Ledger Data Breach Victims in New Extortion Campaign (Feb 27)
Ledger, Shopify Hit with Consumer Complaint After Data Breach - Tech (Feb 27)
Did Ledger leak my data? Have I been hacked? (Feb 27)
@lopp Twitter (Feb 27)
Ledger Suffers Data Breach, Hardware Wallets Not at Risk - Crypto Briefing (Feb 27)
@UnderTheBreach Twitter (Feb 27)
Bitcoin Wallet Provider Ledger Compromised Again by Malicious Phishing Attack - Crypto Briefing (Feb 27)
Users Face Home Invasion Threats, Ledger CEO Unfazed - CoinQuora (Mar 20)
Ledger Customers Are Being Mailed Fake Wallets to Steal Their Private Seeds – Bitcoin News (May 30)
https://blog.coinbase.com/coinbase-security-tips-319f7dbcc660 (Jul 2)
Ledger, Shopify Hit with Class Action Over ‘Massive’ 2020 Data Breach (Jul 19)
https://news.bloomberglaw.com/privacy-and-data-security/ledger-shopify-beat-data-breach-class-suit-due-to-home-bases (Jul 19)
Shopify Security Breach Exposes More Ledger Customers' Sensitive Data (Jul 19)
@Ledger Twitter (Jul 19)
throwaway0918287 comments on How to hack an exchange account (Oct 12)
Thank you, Ledger, for exposing 69 of my accounts. Stupid f**s : ledgerwallet (Oct 13)
Advice to future buyers : ledgerwallet (Oct 13)
If it's an inside job then... : ledgerwalletleak (Oct 13)
Shipping or residency address? : ledgerwallet (Oct 13)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.