DESCRIPTION OF EVENTS
"Based in France, Ledger is the largest cryptocurrency hardware wallet company." "Ledger is a hardware cryptocurrency wallet that is used to store, manage, and sell cryptocurrency. The funds held in these wallets are secured using a 24-word recovery phrase and an optional secret passphrase that only the owner knows."
"Ledger offers two products, the Nano S and Nano X, that can store the digital keys used to secure crypto wallets. The devices can be used with a variety of cryptocurrencies, are compatible with numerous apps, and are supposed to offer a safe way to manage crypto without compromising too much on convenience. Ledger says on its website that it has sold 1.5 million products to customers in 165 countries to date."
"Ledger had allowed a marketing company (an unknown partner) access to its e-commerce and marketing database through an API."
“The API key misconfiguration at issue has been running since Aug 9, 2018. Based on the information we have, we believe it was discovered and exploited from April 2020 to June 28, 2020,” Ledger reported
"[O]n the 25th of June 2020, an unauthorized third party accessed [Ledger's] e-commerce and marketing database – used to send order confirmations and promotional emails – consisting mostly of email addresses, but with a subset including also contact and order details such as first and last name, postal address, email address and phone number."
"Ledger found out about the data breach on Jul. 14 during a bug bounty program." "On the 14th of July 2020, a researcher participating in our bounty program made us aware of a potential data breach on the Ledger website. We immediately fixed this breach after receiving the researcher’s report and underwent an internal investigation." "The API key has now been deactivated and is no longer accessible."
"A week after patching the breach, we discovered It had [already been] exploited." "Even though the company fixed the issue immediately, it was too late." "Ledger publicly revealed that customer information had been compromised. At the time, the company estimated 9,500 customers had been affected by the hack." "At the time of the incident, in July, we engaged an external security organisation to conduct a forensic review of the logs available. This review of the logs enabled us to confirm that approximately 1 million email addresses had been stolen as well as 9,532 more detailed personal information (postal addresses, name, surname and phone number) that we were able to specifically identify."
"On the 17th of July, we notified the CNIL, the French Data Protection Authority which ensures that data privacy law is applied to the collection, storage, and use of personal data. On the 21st of July, we partnered with Orange Cyberdefense to assess the potential damages of the data breach and identify potential data breaches."
Alon Gal, Co-Founder & CTO at security firm Hudson Rock said, “This leak holds major risk to the people affected by it. Individuals who purchased a Ledger tend to have high net worth in cryptocurrencies and will now be subject to both cyber harassments as well as physical harassments on a larger scale than experienced before.”
"[C]ybersecurity analysts believe the information was already being sold privately, starting in August 2020."
"Since October 2020, many Ledger users have been targeted by elaborate phishing scams seeking to gain access to their 24-word recovery phrases, which would allow hackers to then steal their cryptocurrency assets. (The 24-word recovery phrase was not compromised in the earlier data breach.)"
"Those [individuals at Ledger] were telling people with a target on their back in support requests that they were not affected in this breach yet they actually were. So not only they lied about the amount of leaked information, they were still lying about it even after. Reminder: bitcoin meant to increase privacy, but seems like one of the largest and 'secure' bitcoin players don't give [much care] about the way they store data."
"Today we were alerted to the dump of the contents of a Ledger customer database on Raidforum. We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020." "The database publicly released yesterday shows that a larger subset of detailed information has been leaked, approximately 272,000 detailed information such as postal address, last name, first name and telephone number of our customers. These details are not available in the logs that we were able to analyse. Transparency in our operations and communications has always been a priority. This has not changed."
"On Dec. 23, 2020, Ledger was notified by Shopify of an incident “involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported customer transactional records in April and June 2020,” according to a blog post."
"In conjunction with forensic firm Orange Cyberdefense, Ledger examined the 292,000 stolen data records. It found that while the database is quite similar to the personal information exposed in the previous attack, there were 20,000 new customer records compromised."
"The 'All Emails (Subscription).txt' text file contains the email addresses of 1,075,382 people who subscribed to the Ledger newsletter. The 'Ledger Orders (Buyers) only.txt' is more sensitive as it contains the names, mailing addresses, and phone numbers for 272,853 people who purchased a Ledger device."
"Where we saw an increase of phishing mails after the first data leak, with this second one we see some cybercriminals use another approach. On Reddit and other platforms Ledger owners write that they have received threats via phone and email. In the example below the attackers mention the name and address of the victim and threaten to share that information with neighborhood burglars if they don’t send 0.3 BTC to the attackers wallet."
"Now, extortionists using the aliases Darrin Burlew and Denni Hornig sent emails to Ledger users whose data was leaked back in June."
"In a Reddit post, a user with the account name Crypthomie shared the email coming from the blackmailers. According to a “Darrin Burlew”, he knows that this user holds a lot of cryptos and will “share all his info with the local thieves” if his demands are not met."
"All my dad's details are written on the mail he sent, Name/address/Phone number, but I obviously hid them for reddit."
The blackmailer even furthered his threat by saying, “If I happen to do this, are you able to imagine all the possible consequences that can occur to you and your loved ones?”
"Don't be fooled people, no one will come to your home to kill you but this feeling of insecurity is a scandal and Ledger has to do something about it."
"It must be really frightening when you receive messages like this from criminals. Although Ledger owners are informed of the data leak, receiving such a threat with your personal information must feel terrible. Ledger has set up a bitcoin bounty for information leading to those responsible for the hack. It’s a good thing to do, but that won’t help prevent people from becoming victims of these extortion mails."
Multiple Ledger users have reported receiving extortion threats, often containing their personal information from the June 2020 data breach. Scammers will threaten various forms of physical violence or theft against them. It's unknown what funds were lost, and there is very limited recourse for affected users to recover their funds. Ledger has set up a bounty for information about those responsible for tha hack.
HOW COULD THIS HAVE BEEN PREVENTED?
If malicious individuals have the physical capacity and motivation to attack someone, it's unclear why they would avoid such an attack if a ransom was paid. It's a good idea for all crypto users to have a plan in the event they are under threat. Cryptocurrency should not be stored in an obvious home address. Setting up a multi-sig or a throw-away wallet with a smaller balance can also help. Never share your balance with anyone.
Ledger Live : Most trusted & secure crypto wallet | Ledger (Feb 13)
Ledger Breach Vastly Underestimated, 270,000 Clients Data Leaked - Crypto Briefing (Jan 30)
Ledger Adds Bitcoin Bounty and New Data Security After Hack - CoinDesk (Jan 31)
Update: Efforts to Protect Your Data and Prosecute The Scammers | Ledger (Feb 27)
Ledger data leak: A ‘simple mistake’ exposed 270K crypto wallet buyers (Feb 27)
6 Ways to Face the Data Breach | Ledger (Jan 31)
After Ledger Hack, Who Can You Trust For Bitcoin Storage? (Jan 31)
Life as a “Ledger” Wallet Data Breach Victim (Feb 27)
@ledger Twitter (Feb 27)
Threat Actors Target Ledger Data Breach Victims in New Extortion Campaign (Feb 27)
Ledger Hack: Am I Affected? Find Out if YOU or a Friend are Affected by the Ledger Data Breach - YouTube (Jan 31)
Ledger, Shopify Hit with Consumer Complaint After Data Breach - Tech (Feb 27)
@lopp Twitter (Feb 27)
Ledger Won’t Reimburse Users After Major Data Hack - Decrypt (Jan 31)
Users Face Home Invasion Threats, Ledger CEO Unfazed - CoinQuora (Mar 20)
https://blog.coinbase.com/coinbase-security-tips-319f7dbcc660 (Jul 2)
Ledger Hack: Physical Attacks. How likely are they? How to protect yourself? [See description too] - YouTube (Dec 12)
Darknet Diaries - 112: Dirty Coms (Feb 5)