DESCRIPTION OF EVENTS
"Based in France, Ledger is the largest cryptocurrency hardware wallet company." "Ledger is a hardware cryptocurrency wallet that is used to store, manage, and sell cryptocurrency. The funds held in these wallets are secured using a 24-word recovery phrase and an optional secret passphrase that only the owner knows."
"Ledger offers two products, the Nano S and Nano X, that can store the digital keys used to secure crypto wallets. The devices can be used with a variety of cryptocurrencies, are compatible with numerous apps, and are supposed to offer a safe way to manage crypto without compromising too much on convenience. Ledger says on its website that it has sold 1.5 million products to customers in 165 countries to date."
"Ledger had allowed a marketing company (an unknown partner) access to its e-commerce and marketing database through an API."
“The API key misconfiguration at issue has been running since Aug 9, 2018. Based on the information we have, we believe it was discovered and exploited from April 2020 to June 28, 2020,” Ledger reported
"[O]n the 25th of June 2020, an unauthorized third party accessed [Ledger's] e-commerce and marketing database – used to send order confirmations and promotional emails – consisting mostly of email addresses, but with a subset including also contact and order details such as first and last name, postal address, email address and phone number."
"Ledger found out about the data breach on Jul. 14 during a bug bounty program." "On the 14th of July 2020, a researcher participating in our bounty program made us aware of a potential data breach on the Ledger website. We immediately fixed this breach after receiving the researcher’s report and underwent an internal investigation." "The API key has now been deactivated and is no longer accessible."
"A week after patching the breach, we discovered It had [already been] exploited." "Even though the company fixed the issue immediately, it was too late." "Ledger publicly revealed that customer information had been compromised. At the time, the company estimated 9,500 customers had been affected by the hack." "At the time of the incident, in July, we engaged an external security organisation to conduct a forensic review of the logs available. This review of the logs enabled us to confirm that approximately 1 million email addresses had been stolen as well as 9,532 more detailed personal information (postal addresses, name, surname and phone number) that we were able to specifically identify."
"On the 17th of July, we notified the CNIL, the French Data Protection Authority which ensures that data privacy law is applied to the collection, storage, and use of personal data. On the 21st of July, we partnered with Orange Cyberdefense to assess the potential damages of the data breach and identify potential data breaches."
Alon Gal, Co-Founder & CTO at security firm Hudson Rock said, “This leak holds major risk to the people affected by it. Individuals who purchased a Ledger tend to have high net worth in cryptocurrencies and will now be subject to both cyber harassments as well as physical harassments on a larger scale than experienced before.”
"[C]ybersecurity analysts believe the information was already being sold privately, starting in August 2020."
"Since October 2020, many Ledger users have been targeted by elaborate phishing scams seeking to gain access to their 24-word recovery phrases, which would allow hackers to then steal their cryptocurrency assets. (The 24-word recovery phrase was not compromised in the earlier data breach.)"
"Those [individuals at Ledger] were telling people with a target on their back in support requests that they were not affected in this breach yet they actually were. So not only they lied about the amount of leaked information, they were still lying about it even after. Reminder: bitcoin meant to increase privacy, but seems like one of the largest and 'secure' bitcoin players don't give [much care] about the way they store data."
"Today we were alerted to the dump of the contents of a Ledger customer database on Raidforum. We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020." "The database publicly released yesterday shows that a larger subset of detailed information has been leaked, approximately 272,000 detailed information such as postal address, last name, first name and telephone number of our customers. These details are not available in the logs that we were able to analyse. Transparency in our operations and communications has always been a priority. This has not changed."
"On Dec. 23, 2020, Ledger was notified by Shopify of an incident “involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported customer transactional records in April and June 2020,” according to a blog post."
"In conjunction with forensic firm Orange Cyberdefense, Ledger examined the 292,000 stolen data records. It found that while the database is quite similar to the personal information exposed in the previous attack, there were 20,000 new customer records compromised."
"The 'All Emails (Subscription).txt' text file contains the email addresses of 1,075,382 people who subscribed to the Ledger newsletter. The 'Ledger Orders (Buyers) only.txt' is more sensitive as it contains the names, mailing addresses, and phone numbers for 272,853 people who purchased a Ledger device."
"First appearing in May , the scammers [started mailing] packages that contained a fake Ledger Nano wallet to the homes of Ledger users. They soldered a flash drive onto the interior of the fake wallet, and the packages also included a sealed bag with Ledger’s logo on it, and even shrink-wrapping the box itself, to appear as if it were never opened."
"A flash drive with a fake Ledger app is connected to the circuit board, and instructions enclosed with the device tell the recipient to plug in the wallet and run the malicious file. To initialize the device, the user is then asked for their 24-word recovery phrase." "That phrase could then be used to generate the wallet’s private keys, letting the scammer import a wallet and gain access to the funds."
In a Ledger blog post Thursday explaining the scam, the company said the box includes a fake letter explaining the “need to replace your existing hardware wallet to secure your funds. This is a scam. The Ledger Nano is fake.”
"A fake letter claiming to be signed by the CEO of Ledger is sent to a Ledger user along with a faulty Ledger device in his box as if it were new. In the fake letter, it is stated that you need to change your device to secure your funds. You are asked to initialize the device sent with the letter and to follow the user guide in the box."
"The fake user guide in the Nano's box asks the user to connect the device to a computer. To initialize the device, the user is then asked to enter his 24 words in a fake Ledger Live application."
"This is a scam. The Ledger Nano is faulty and the user guide is a fake." "Do not connect the device to your computer and never share your 24 words. Ledger will never ask you to share your 24-word recovery phrase."
“We are aware of this scam, which we have included in our list of ongoing malicious attacks listed on our website,” Ledger Chief Information Security Officer Matt Johnson told CoinDesk in an email. “You should be suspicious of receiving a free product in the mail that you didn’t order and check Ledger’s official channels or contact Ledger support team.”
Using fake data from the data breach in June 2020, scammers started mailing fake wallets to customers. The wallets would provide fake software to install and intercept the seed phrase when users set up their wallet. Ledger first reported fake hardware wallets being mailed to their customers on May 10th, 2021, over a month before any other news articles or journalists started reporting on the matter. It's unknown what funds were lost, and there is very limited recourse for affected users to recover their funds.
HOW COULD THIS HAVE BEEN PREVENTED?
Users should always check any wallet they receive against official sources. Check for news and updates on the official website or contact them if you are uncertain.
Platforms need to maintain proactive communication with their users, and Ledger likely could have done more to reach users by email or reach out to media for coverage to better protect their users. Better education material could also be provided to customers as part of their purchase experience. Ledger also needs to ensure they are responsive on their website. For example, the method to report on new phishing attacks didn't appear to work when tested.
Ledger Hack Victim Scam Details - Bitcoin Magazine: Bitcoin News, Articles, Charts, and Guides (Jan 31)
CoinMarketCap: No Breach Despite 3.1M Email Address Leak (Jan 25)
3 Million CoinMarketCap Email Addresses Have Leaked - Crypto Briefing (Jan 26)
Ledger Breach Vastly Underestimated, 270,000 Clients Data Leaked - Crypto Briefing (Jan 30)
Ledger Adds Bitcoin Bounty and New Data Security After Hack - CoinDesk (Jan 31)
Ledger Cryptocurrency Wallet Data Breach Investigation | Migliaccio & Rathod LLP (Jan 31)
Ledger Live : Most trusted & secure crypto wallet | Ledger (Feb 13)
Ledger Customers Targeted by ‘Convincing’ Phishing Attack - CoinDesk (Feb 27)
Update: Efforts to Protect Your Data and Prosecute The Scammers | Ledger (Feb 27)
Ledger data leak: A ‘simple mistake’ exposed 270K crypto wallet buyers (Feb 27)
6 Ways to Face the Data Breach | Ledger (Jan 31)
After Ledger Hack, Who Can You Trust For Bitcoin Storage? (Jan 31)
Life as a “Ledger” Wallet Data Breach Victim (Feb 27)
@ledger Twitter (Feb 27)
Ledger, Shopify Hit with Consumer Complaint After Data Breach - Tech (Feb 27)
Ledger Won’t Reimburse Users After Major Data Hack - Decrypt (Jan 31)
Cybercrooks Are Mailing Users Fake Ledger Devices To Steal Their Cryptocurrency (Mar 6)
Scammers Are Sending Ledger Users Fake Hardware Wallets (Mar 6)
Scammers mail out fake hardware wallets to victims of Ledger data breach (Mar 6)
Scam alert: Ledger users receive fake hardware wallets - Cointribune (Mar 6)
https://www.ledger.com/wp-content/uploads/2021/05/phishing-updated.jpg (Mar 6)
Criminals are mailing altered Ledger devices to steal cryptocurrency (Mar 6)
Scammers Are Using Fake Devices to Steal Cryptocurrency Wallets | PCMag (Mar 6)
https://www.itp.net/security/98374-victims-of-ledger-hack-receive-fake-hardware-wallets (Mar 6)
Fake Ledger devices mailed out in attempt to steal from cryptocurrency fans (Mar 6)
Scammers Are Sending Ledger Users Fake Hardware Wallets - CoinDesk (Mar 6)
Addressing the July 2020 e-commerce and marketing data breach -- A Message From Ledger’s Leadership | Ledger (Jan 31)
Bug Bounty Program | Donjon (Jan 31)
@Ledger Twitter (Jan 31)
@btcriku Twitter (Jan 31)
How to Handle the Ledger Hack & Data Breach - Naray Law (Jan 31)
Message by LEDGER’s CEO - Update on the July data breach. Despite the leak, your crypto assets are safe. | Ledger (Jan 31)
Ledger Faces Class-Action Lawsuit for 2020 Data Breach (Jan 31)
Physical addresses of 270K Ledger owners leaked on hacker forum (Jan 31)
Ledger Hack: Who is Ledger? What Happened? Does the Ledger data breach affect everyone? - YouTube (Jan 31)
Ledger Hack: Am I Affected? Find Out if YOU or a Friend are Affected by the Ledger Data Breach - YouTube (Jan 31)
https://www.cryptovantage.com/news/is-ledger-still-safe-everything-we-learned-from-last-years-hack/ (Jan 31)
Class action lawsuit filed against crypto wallet firm Ledger, Shopify over 2020 customer data breach (Jan 31)
Ledger customers exposed as personal data is leaked (Jan 31)
Fake data breach alerts used to steal Ledger cryptocurrency wallets (Jan 31)
Ongoing phishing campaigns | Ledger (Feb 5)
Ledger Customers Are Being Mailed Fake Wallets to Steal Their Private Seeds – Bitcoin News (May 30)