Quadriga Initiative Logo.png

QUADRIGA INITIATIVE

CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM

A COMMUNITY-BASED, NOT-FOR-PROFIT

UNKNOWN

MAY 2020

GLOBAL

LEDGER

DESCRIPTION OF EVENTS

"Based in France, Ledger is the largest cryptocurrency hardware wallet company." "Ledger is a hardware cryptocurrency wallet that is used to store, manage, and sell cryptocurrency. The funds held in these wallets are secured using a 24-word recovery phrase and an optional secret passphrase that only the owner knows."

 

"Ledger offers two products, the Nano S and Nano X, that can store the digital keys used to secure crypto wallets. The devices can be used with a variety of cryptocurrencies, are compatible with numerous apps, and are supposed to offer a safe way to manage crypto without compromising too much on convenience. Ledger says on its website that it has sold 1.5 million products to customers in 165 countries to date."

 

"Ledger, “one of the market leaders for crypto-asset security,” sells solutions to consumers to help keep their crypto-assets safe. Its main product is a “hardware wallet,” a physical item similar to a USB drive that consumers use to access crypto assets, the complaint stated. Reportedly, Ledger sells its products through a number of distributors and also directly to consumers through its own website, which Shopify powers."

 

"In mid-2020, two rogue Shopify employees accessed purchaser data, including the names and contact information of people who purchased Ledger hardware wallets. By June 2020, the filing claimed, Ledger’s customer register, a list of individuals who have “converted substantial wealth into anonymized crypto-assets that are transferrable without a trace,” made its way onto the internet’s black market."

 

"May 24, 2020 – Cybercrime investigation and insight service Under the Breach reports that a hacker has obtained customer details from hundreds of Shopify clients, including Ledger and Trezor. Ledger denies the leak, reducing it to “rumors spreading” and says that the data from the hack doesn’t match their own records. Trezor says that they don’t use Shopify."

 

"A supposed Shopify database hack that is said to have exposed the names and addresses of tens of thousands of Ledger, Trezor, and KeepKey hardware wallets has been denied by the companies. The alleged breach was ‘revealed’ on Sunday when a data breach monitoring service posted on Twitter that a Shopify customer database had been compromised, which had allowed hackers to access the personal details of over 72,000 of the manufacturers’ customers. The companies in question have since denied that the databases are genuine, but the issue raises an uncomfortable truth about hardware wallets that many may not want to consider."

 

"The alleged Shopify database hack was suggested by Under the Breach, a cybercrime investigation and insight service, who posted images that they said showed that hacker had accessed names, addresses, and phone numbers of over 41,000 Ledger customers, over 21,000 Trezor customers, and 10,000 KeepKey customers, which he then began selling on the dark web. Alongside this, the hacker was also supposed to have obtained the full customer database for investing site Bank to the Future, which he was also selling."

 

"The Ethereum forum hacker is now selling the databases of @Trezor and @Ledger. Both of which obtained from a @Shopify exploit. (suggesting there are many more underground leaks). The hacker also claims he has the full SQL database of famous investing site @BankToTheFuture."

 

Ledger said at the time. "Rumors pretend our Shopify database has been hacked through a Shopify exploit. Our ecommerce team is currently checking these allegations by analyzing the so-called hacked db, and so far it doesn’t match our real db. We continue investigations and are taking the matter seriously."

 

Trezor said: "There are rumors spreading that our eshop database has been hacked thru a Shopify exploit. Our eshop does not use Shopify, but we are nonetheless investigating the situation. We've been also routinely purging old customer records from the database to minimize the possible impact."

 

"In mid-2020, two rogue Shopify employees accessed purchaser data, including the names and contact information of people who purchased Ledger hardware wallets. By June 2020, the filing claimed, Ledger’s customer register, a list of individuals who have “converted substantial wealth into anonymized crypto-assets that are transferrable without a trace,” made its way onto the internet’s black market."

 

"Recently, Shopify became aware of an incident involving the data of less than 200 merchants. We immediately launched an investigation to identify the issue--and impact--so we could take action and notify the affected merchants."

 

"Our investigation determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants. We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement. We are currently working with the FBI and other international agencies in their investigation of these criminal acts. While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant."

 

"This incident was not the result of a technical vulnerability in our platform, and the vast majority of merchants using Shopify are not affected. However, those whose stores were illegitimately accessed may have had customer data exposed. This data includes basic contact information, such as email, name, and address, as well as order details, like products and services purchased. Complete payment card numbers or other sensitive personal or financial information were not part of this incident."

 

"Our teams have been in close communication with affected merchants to help them navigate this issue and address any of their concerns. We don’t take these events lightly at Shopify. We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product."

 

"Reportedly, circumstances worsened over the next few months as some hackers threatened to enter the homes of and attack Ledger customers unless they made untraceable ransom payments. In the face of the breach, Ledger purportedly did little. Finally, the complaint alleged, in December 2020, its CEO made a statement regretting the situation and acknowledging that phishing emails and text messages sent to some victims were a nuisance."

 

"Recently, we shared news of a data dump. On December 23, we were alerted by our e-commerce provider Shopify about an incident in April & June '20 where their rogue team members exported merchants' customer databases. Ledger was included."

 

"[O]n December 23rd, 2020 we received a notification from our e-commerce service provider, Shopify, regarding an incident involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported customer transactional records in April and June 2020. According to Shopify, this is related to the incident reported September 2020, which concerns more than 200 merchants, but until December 21st, 2020, Shopify had not discovered that Ledger was also targeted in this attack. Shopify tells us they engaged digital forensics experts and counsel to continue their investigation on the matter and have reported the matter to law enforcement in both Canada and the USA."

 

"The information obtained by these agents is 93% similar to the previous data dump. However, 7% (around 20,000) of the customer records breached are new. We have directly contacted the concerned users to inform them about this."

 

"We are dedicated to taking action against this incident." "Security reminder: never share 24-word recovery phrase. Ledger will never ask you for your 24 words. Only enter your 24-word recovery phrase into your Ledger device, and never into Ledger Live."

 

"We are announcing changes in the way Ledger will handle customer data: Our goal is to completely delete your personal data such as name, address, and phone number as soon as possible. We are challenging ourselves and third party providers to keep this data for as short a period of time as necessary to fulfill our obligations to our customers (such as fulfilling your order) and the law (such as accounting and legal obligations). Data which needs to be kept will be put in a further segregated environment."

 

"We will implement a messaging model where proactive important security and technical information will be conveyed through Ledger Live. Email and social media will ONLY be used for broadcasting product messages and announcements." "Ledger is committing numerous additional resources to identifying and prosecuting those responsible for the attacks on Ledger and Ledger customers including a bounty fund of 10 BTC for information leading to successful arrest and prosecution. We hope other companies will join the bounty program and help make the crypto community a safer place."

 

"In recent months we’ve seen high activity of phishing attacks on our customers. We have communicated heavily to warn our customers about these attacks via email, on our Website, within Ledger Live, and on Twitter, Reddit and other third-party platforms. We sent an email to our entire database regarding these phishing attempts on October 22nd, 2020. We partnered with Webdrone, a company specialized in business intelligence and cybercrime, to identify the author(s) of phishing websites. We have an on-going program with Corsearch to shutdown phishing websites expeditiously through registrars and to date have shut down 216 sites and counting."

 

"We continue to work with several private investigators to find and track the individuals responsible for these attacks. All clues and information gathered are shared with the relevant authorities (if you have new information for us, please see the bounty program below). For the phishing campaigns, Ledger has also filed a complaint with the French prosecutor and shares information gathered by Ledger and the investigators on a regular basis."

 

"Our goal is to completely delete your personal data such as name, address, and phone number as soon as possible. We are challenging ourselves and third party providers to keep this data for as short a period of time as necessary to fulfill our obligations to our customers (such as fulfilling your order) and the law (such as accounting and legal obligations). Data which needs to be kept will be put in a further segregated environment. For instance, we aim to put your e-commerce order information such as name, address, phone number in a segregated environment three months after the shipping of your product."

 

"We will reduce the locations at which your personal information is displayed. For example, we will be deleting the name, address, and phone number from the order confirmation emails we send to you so this data does not pass through our ecommerce email provider. We will implement a messaging model where proactive important security and technical information will be solely conveyed through Ledger Live. Email and social media will ONLY be used for broadcasting product messages and announcements. We will be conducting a detailed re-assessment of all our suppliers and partners to ensure that they continue to meet the highest standards."

 

"Two Georgia residents have filed suit against Ledger SAS, Ledger Technologies Inc., Shopify (USA) Inc., and Shopify Inc., accusing the companies of mishandling a massive data breach that caused customers to lose money, face threats of physical violence, and feel vulnerable in their homes. The Northern District of California class-action complaint contended that the defendants negligently allowed, recklessly ignored, and intentionally tried to cover up the breach."

 

"The plaintiffs argued that “customers would not have purchased Ledger wallets at all, or would not have paid as much as they did for Ledger wallets, had they known of Ledger’s lax security practices and unwillingness to promptly and completely disclose data breaches.”"

 

"In turn, the plaintiffs are requesting the certification of several classes and subclasses of Ledger customers and are seeking redress under state common law and California and Georgia consumer-protection statutes."

 

"We are deeply sorry that these incidents occurred and for any pain or stress they’ve caused our customers. Keeping you secure is Ledger’s mission and we take these incidents extremely seriously both personally and professionally. We will soon release a technical solution that will remove the 24 words as the single pillar of the security of our hardware wallets and will open the door to funds insurance for individual customers. These attacks have only strengthened our resolve to build and release products that keep you and your crypto safe. We have exciting, innovative and secure products and services to announce in 2021. Ledger remains committed to building the most secure products and protecting the crypto ecosystem. Period."

Shopify assisted Ledger in processing orders for hardware wallets. Ledger's Shopify records were reportedly breached in two incidents on April 18th, 2020 and again on June 16th, 2020. A total of 20,000 records were reportedly breached, with contact information of customers who had ordered Ledger products. The information was sold on the black market by rogue employees of Shopify. This appears to be separate from a breach announced in May 2020, which was reportedly false. In September 2020, Shopify because aware of the breach, but reportedly didn't notify Ledger until December. Many users had been victims of targeted attacks stemming already from a separate breach of Ledger's own database due to an API key leak which had been patched in July 2020 already. Significant funds have been lost in these attacks. Ledger has been running a number of programs attempting to track the criminals who are phishing users and bring them to justice, however it is unclear if this has been successful in any cases yet, or if any funds have been recovered.

HOW COULD THIS HAVE BEEN PREVENTED?

Ledger is taking a number of steps to reduce the flow of information to third parties during the order process and avoid retaining it for any longer than legally necessary.

 

Purchasers of hardware wallets can protect themselves by using the address/contact information of a trusted friend or family member to make the purchase. Also be aware that most criminals will only passively contact and cannot do anything to steal funds unless the seed phrase is provided to them. There is no need to ever enter the seed phrase outside of the hardware wallet itself.

 

Check Our Framework For Safe Secure Exchange Platforms

@21Millones_BTC Twitter (Jun 20)
Ledger Live : Most trusted & secure crypto wallet | Ledger (Feb 13)
Ledger Refuses Refunds, Tells Clients “Bank Vault Is More Secure” | Financegates (Mar 19)
Physical Addresses of 270K Ledger Owners Leaked On Hacker Forum - Slashdot (Mar 19)
Scammers Are Using Fake Devices to Steal Cryptocurrency Wallets | PCMag (Mar 6)
@Ledger Twitter (Jul 19)
Ledger, Shopify Hit with Consumer Complaint After Data Breach - Tech (Feb 27)
Ledger Data Breaches - a Timeline (Jul 19)
Shopify Database Hack Denied by Crypto Wallet Providers (Jul 19)
@underthebreach Twitter (Jul 19)
@Ledger Twitter (Jul 19)
Update: Efforts to Protect Your Data and Prosecute The Scammers | Ledger (Feb 27)
Ledger Hack 2020 Explained! (What to do Now!) - Beginner's Guide - YouTube (Jul 19)
Ledger Hack 2020 Explained! (What to do Now!) - Beginners' Guide » Crypto Casey (Jul 19)
Incident Update - Shopify Community (Feb 27)
Shopify Security Breach Exposes More Ledger Customers' Sensitive Data (Jul 19)
https://considertheconsumer.com/consumer-news/shopify-ledger-data-breach-class-action-lawsuit-2021 (Jul 19)
Shopify facing another lawsuit from crypto holders over Ledger data breach (Jul 24)
 (Jan 16)
Ledger data leak: A ‘simple mistake’ exposed 270K crypto wallet buyers (Feb 27)
Ledger Hack: Who is Ledger? What Happened? Does the Ledger data breach affect everyone? - YouTube (Jan 31)
Help! Ledger Hack.What is it? What should you do right now to protect youself? Emergency Livestream - YouTube (Dec 12)
Ledger Hack: Am I Affected? Find Out if YOU or a Friend are Affected by the Ledger Data Breach - YouTube (Jan 31)
Timeline of Cyber Incidents Involving Financial Institutions - Carnegie Endowment for International Peace (Dec 12)
Ledger Hack: Physical Attacks. How likely are they? How to protect yourself? [See description too] - YouTube (Dec 12)
The Block: A detailed look at the Ledger data leak and other recent incidents (Dec 12)
Ledger Hack: SIM Swap Attack. Protect Yourself Now. Right Now. Learn How. - YouTube (Dec 12)
Ledger Hack: Are You Afraid to Update Ledger Live? - YouTube (Dec 12)
Ledger Hack: Countermeasures. Practical Things You Can Do, So You Don't Become A Victim Again. - YouTube (Dec 12)
Darknet Diaries - 112: Dirty Coms (Feb 5)

Sources And Further Reading

More case studies

Loopring
Design Defect

Coinbase/AT&T Account
Sim Swap signalme

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.