DESCRIPTION OF EVENTS
"Based in France, Ledger is the largest cryptocurrency hardware wallet company." "Ledger is a hardware cryptocurrency wallet that is used to store, manage, and sell cryptocurrency. The funds held in these wallets are secured using a 24-word recovery phrase and an optional secret passphrase that only the owner knows."
"Ledger offers two products, the Nano S and Nano X, that can store the digital keys used to secure crypto wallets. The devices can be used with a variety of cryptocurrencies, are compatible with numerous apps, and are supposed to offer a safe way to manage crypto without compromising too much on convenience. Ledger says on its website that it has sold 1.5 million products to customers in 165 countries to date."
"Ledger had allowed a marketing company (an unknown partner) access to its e-commerce and marketing database through an API."
“The API key misconfiguration at issue has been running since Aug 9, 2018. Based on the information we have, we believe it was discovered and exploited from April 2020 to June 28, 2020,” Ledger reported
"[O]n the 25th of June 2020, an unauthorized third party accessed [Ledger's] e-commerce and marketing database – used to send order confirmations and promotional emails – consisting mostly of email addresses, but with a subset including also contact and order details such as first and last name, postal address, email address and phone number."
"Ledger found out about the data breach on Jul. 14 during a bug bounty program." "On the 14th of July 2020, a researcher participating in our bounty program made us aware of a potential data breach on the Ledger website. We immediately fixed this breach after receiving the researcher’s report and underwent an internal investigation." "The API key has now been deactivated and is no longer accessible."
"A week after patching the breach, we discovered It had [already been] exploited." "Even though the company fixed the issue immediately, it was too late." "Ledger publicly revealed that customer information had been compromised. At the time, the company estimated 9,500 customers had been affected by the hack." "At the time of the incident, in July, we engaged an external security organisation to conduct a forensic review of the logs available. This review of the logs enabled us to confirm that approximately 1 million email addresses had been stolen as well as 9,532 more detailed personal information (postal addresses, name, surname and phone number) that we were able to specifically identify."
"On the 17th of July, we notified the CNIL, the French Data Protection Authority which ensures that data privacy law is applied to the collection, storage, and use of personal data. On the 21st of July, we partnered with Orange Cyberdefense to assess the potential damages of the data breach and identify potential data breaches."
Alon Gal, Co-Founder & CTO at security firm Hudson Rock said, “This leak holds major risk to the people affected by it. Individuals who purchased a Ledger tend to have high net worth in cryptocurrencies and will now be subject to both cyber harassments as well as physical harassments on a larger scale than experienced before.”
"[C]ybersecurity analysts believe the information was already being sold privately, starting in August 2020."
"Since October 2020, many Ledger users have been targeted by elaborate phishing scams seeking to gain access to their 24-word recovery phrases, which would allow hackers to then steal their cryptocurrency assets. (The 24-word recovery phrase was not compromised in the earlier data breach.)"
"Those [individuals at Ledger] were telling people with a target on their back in support requests that they were not affected in this breach yet they actually were. So not only they lied about the amount of leaked information, they were still lying about it even after. Reminder: bitcoin meant to increase privacy, but seems like one of the largest and 'secure' bitcoin players don't give [much care] about the way they store data."
"Today we were alerted to the dump of the contents of a Ledger customer database on Raidforum. We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020." "The database publicly released yesterday shows that a larger subset of detailed information has been leaked, approximately 272,000 detailed information such as postal address, last name, first name and telephone number of our customers. These details are not available in the logs that we were able to analyse. Transparency in our operations and communications has always been a priority. This has not changed."
"On Dec. 23, 2020, Ledger was notified by Shopify of an incident “involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported customer transactional records in April and June 2020,” according to a blog post."
"In conjunction with forensic firm Orange Cyberdefense, Ledger examined the 292,000 stolen data records. It found that while the database is quite similar to the personal information exposed in the previous attack, there were 20,000 new customer records compromised."
"The 'All Emails (Subscription).txt' text file contains the email addresses of 1,075,382 people who subscribed to the Ledger newsletter. The 'Ledger Orders (Buyers) only.txt' is more sensitive as it contains the names, mailing addresses, and phone numbers for 272,853 people who purchased a Ledger device."
""First appearing in May , the scammers [started mailing] packages that contained a fake Ledger Nano wallet to the homes of Ledger users." "The [latest batch of] fake device comes in authentic-looking packaging with the Ledger logo. The package includes a fake letter and a tampered Ledger hardware wallet. It is shrink-wrapped as if the box has never been opened."
"The fake letter explains that you need to replace your existing hardware wallet to secure your funds. There are enclosed instructions in the Nano box which ask the user to connect the device to their computer, open a drive and run the fake Ledger Live app. To initialize the device, the user is asked to enter his 24 words in the fake Ledger Live app."
"This is a scam. The Ledger Nano is fake. A flash drive implant has been connected to the printed circuit board. It contains a file with a fake Ledger Live app. A Ledger Nano is not a USB device. It does not contain any application to download and install on your computer. The only way to download the Ledger Live app is by using the official download page. Plus, Ledger and Ledger Live will never ask you to share your 24-word recovery phrase."
“We are aware of this scam, which we have included in our list of ongoing malicious attacks listed on our website,” Ledger Chief Information Security Officer Matt Johnson told CoinDesk in an email. “You should be suspicious of receiving a free product in the mail that you didn’t order and check Ledger’s official channels or contact Ledger support team.”
Ledger users who had their private information compromised in the June 2020 breach were mailed another fake hardware wallet in June. This improved upon the version of fake hardware wallet provided in May. As Ledger doesn't have knowledge of which wallets belong to their users, it is unknown how many users were impacted, or whether any users managed to track and recover lost funds.
HOW COULD THIS HAVE BEEN PREVENTED?
Users should always check any wallet they receive against official sources. Check for news and updates on the official website or contact them if you are uncertain.
Platforms need to maintain proactive communication with their users, and Ledger likely could have done more to reach users by email or reach out to media for coverage to better protect their users. Better education material could also be provided to customers as part of their purchase experience. Ledger also needs to ensure they are responsive on their website. For example, the method to report on new phishing attacks didn't appear to work when tested.
Ledger Hack Victim Scam Details - Bitcoin Magazine: Bitcoin News, Articles, Charts, and Guides (Jan 31)
CoinMarketCap: No Breach Despite 3.1M Email Address Leak (Jan 25)
3 Million CoinMarketCap Email Addresses Have Leaked - Crypto Briefing (Jan 26)
Ledger Breach Vastly Underestimated, 270,000 Clients Data Leaked - Crypto Briefing (Jan 30)
Ledger Adds Bitcoin Bounty and New Data Security After Hack - CoinDesk (Jan 31)
Ledger Cryptocurrency Wallet Data Breach Investigation | Migliaccio & Rathod LLP (Jan 31)
Addressing the July 2020 e-commerce and marketing data breach -- A Message From Ledger’s Leadership | Ledger (Jan 31)
Bug Bounty Program | Donjon (Jan 31)
@Ledger Twitter (Jan 31)
@btcriku Twitter (Jan 31)
Ledger Won’t Reimburse Users After Major Data Hack - Decrypt (Jan 31)
How to Handle the Ledger Hack & Data Breach - Naray Law (Jan 31)
Message by LEDGER’s CEO - Update on the July data breach. Despite the leak, your crypto assets are safe. | Ledger (Jan 31)
Ledger Faces Class-Action Lawsuit for 2020 Data Breach (Jan 31)
Physical addresses of 270K Ledger owners leaked on hacker forum (Jan 31)
After Ledger Hack, Who Can You Trust For Bitcoin Storage? (Jan 31)
6 Ways to Face the Data Breach | Ledger (Jan 31)
Ledger Hack: Who is Ledger? What Happened? Does the Ledger data breach affect everyone? - YouTube (Jan 31)
Ledger Hack: Am I Affected? Find Out if YOU or a Friend are Affected by the Ledger Data Breach - YouTube (Jan 31)
https://www.cryptovantage.com/news/is-ledger-still-safe-everything-we-learned-from-last-years-hack/ (Jan 31)
Class action lawsuit filed against crypto wallet firm Ledger, Shopify over 2020 customer data breach (Jan 31)
Ledger customers exposed as personal data is leaked (Jan 31)
Fake data breach alerts used to steal Ledger cryptocurrency wallets (Jan 31)
Ongoing phishing campaigns | Ledger (Feb 5)
Ledger Live : Most trusted & secure crypto wallet | Ledger (Feb 13)
Ledger Customers Targeted by ‘Convincing’ Phishing Attack - CoinDesk (Feb 27)
Update: Efforts to Protect Your Data and Prosecute The Scammers | Ledger (Feb 27)
Ledger data leak: A ‘simple mistake’ exposed 270K crypto wallet buyers (Feb 27)
Life as a “Ledger” Wallet Data Breach Victim (Feb 27)
@ledger Twitter (Feb 27)
Ledger, Shopify Hit with Consumer Complaint After Data Breach - Tech (Feb 27)
Cybercrooks Are Mailing Users Fake Ledger Devices To Steal Their Cryptocurrency (Mar 6)
Scammers Are Sending Ledger Users Fake Hardware Wallets (Mar 6)
Scammers mail out fake hardware wallets to victims of Ledger data breach (Mar 6)
Scam alert: Ledger users receive fake hardware wallets - Cointribune (Mar 6)
https://www.ledger.com/wp-content/uploads/2021/05/phishing-updated.jpg (Mar 6)
Criminals are mailing altered Ledger devices to steal cryptocurrency (Mar 6)
Scammers Are Using Fake Devices to Steal Cryptocurrency Wallets | PCMag (Mar 6)
https://www.itp.net/security/98374-victims-of-ledger-hack-receive-fake-hardware-wallets (Mar 6)
Fake Ledger devices mailed out in attempt to steal from cryptocurrency fans (Mar 6)
Scammers Are Sending Ledger Users Fake Hardware Wallets - CoinDesk (Mar 6)