QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$271 000 USD
NOVEMBER 2020
GLOBAL
LEDGER
DESCRIPTION OF EVENTS
"Based in France, Ledger is the largest cryptocurrency hardware wallet company." "Ledger is a hardware cryptocurrency wallet that is used to store, manage, and sell cryptocurrency. The funds held in these wallets are secured using a 24-word recovery phrase and an optional secret passphrase that only the owner knows."
"Ledger offers two products, the Nano S and Nano X, that can store the digital keys used to secure crypto wallets. The devices can be used with a variety of cryptocurrencies, are compatible with numerous apps, and are supposed to offer a safe way to manage crypto without compromising too much on convenience. Ledger says on its website that it has sold 1.5 million products to customers in 165 countries to date."
"Ledger had allowed a marketing company (an unknown partner) access to its e-commerce and marketing database through an API."
“The API key misconfiguration at issue has been running since Aug 9, 2018. Based on the information we have, we believe it was discovered and exploited from April 2020 to June 28, 2020,” Ledger reported
"[O]n the 25th of June 2020, an unauthorized third party accessed [Ledger's] e-commerce and marketing database – used to send order confirmations and promotional emails – consisting mostly of email addresses, but with a subset including also contact and order details such as first and last name, postal address, email address and phone number."
"Ledger found out about the data breach on Jul. 14 during a bug bounty program." "On the 14th of July 2020, a researcher participating in our bounty program made us aware of a potential data breach on the Ledger website. We immediately fixed this breach after receiving the researcher’s report and underwent an internal investigation." "The API key has now been deactivated and is no longer accessible."
"A week after patching the breach, we discovered It had [already been] exploited." "Even though the company fixed the issue immediately, it was too late." "Ledger publicly revealed that customer information had been compromised. At the time, the company estimated 9,500 customers had been affected by the hack." "At the time of the incident, in July, we engaged an external security organisation to conduct a forensic review of the logs available. This review of the logs enabled us to confirm that approximately 1 million email addresses had been stolen as well as 9,532 more detailed personal information (postal addresses, name, surname and phone number) that we were able to specifically identify."
"On the 17th of July, we notified the CNIL, the French Data Protection Authority which ensures that data privacy law is applied to the collection, storage, and use of personal data. On the 21st of July, we partnered with Orange Cyberdefense to assess the potential damages of the data breach and identify potential data breaches."
Alon Gal, Co-Founder & CTO at security firm Hudson Rock said, “This leak holds major risk to the people affected by it. Individuals who purchased a Ledger tend to have high net worth in cryptocurrencies and will now be subject to both cyber harassments as well as physical harassments on a larger scale than experienced before.”
"[C]ybersecurity analysts believe the information was already being sold privately, starting in August 2020."
"Since October 2020, many Ledger users have been targeted by elaborate phishing scams seeking to gain access to their 24-word recovery phrases, which would allow hackers to then steal their cryptocurrency assets. (The 24-word recovery phrase was not compromised in the earlier data breach.)"
"Now we can see the consequences of such an event because the attackers designed a massive bunch of fake Ledger emails and are sending them to the customers. Their main goal is deceiving the most people as possible to steal their private keys and passwords, and, therefore, the cryptocurrencies they may have in this wallet."
One such phishing email sent to the users that gave the impression it was from the Ledger customer support and noted: “Our forensics team has found several of the Ledger Live administrative servers to be infected with malware.”
"We are sorry to inform you that there has been a security breach affecting approximately 85,000 of our customers and that your e-mail address is within those affected by the breach."
"Namely, on Saturday, October 24th 2020, our forensics team has found several of the Ledger Live administrative servers to be infected with malware."
"In the current state of our knowledge, it is not technically possible to state the exact scope of the data leak. Due to that fact, we must assume that your cryptocurrency assets are at an immediate risk of theft."
"If you've used Ledger Live at any point from November 2019 to the present date, please download the latest version of the client and follow the instructions to set up a new PIN for your wallet."
"[A] phishing email sent to many cryptocurrency users was directing them to a fake ledger website. The fake domain was very hard to point out as it cleverly substituted the site with a homoglyph in the domain name."
"The email suggests that Ledger Live servers are breached, and a Ledger Live update is needed. The fake email also includes a malicious link suggesting users to “Download the latest version.” This link is malicious, and it is advisable not to click on this link. Following this link may result in your funds being stolen from your account."
“The investigation is ongoing and at this time we cannot give any additional information but one thing is for certain: Ledger will never ask you for your 24-word recovery phrase, which is a blatant sign of a phishing scam,” a company spokesperson said recently.
"It's important to note your coins are not at risk if you don't give your 24 words. Your private key is secured by the Secure Element of your Nano. If only your [Live] app would be compromised, your private key is safe, and all your transactions could be checked on your Nano."
"This phishing scam (notice the fake domain lẹdger.com), has already stolen more than 1,150,000 XRP from @Ledger users." "The entire amount was sent in 5 payments to @BittrexExchange who were unable to seize it in time."
“Ledger encourages customers to exercise caution as phishing attacks become more sophisticated and to alert Ledger’s customer support team and consult Ledger.com for more information on the detection of scams.”
Using fake data from the data breach in June 2020, scammers started mailing customers that perhaps their crypto-assets were at risk as well. The emails would provide "upgraded" software to install and intercept the seed phrase when users set up their wallet. At least one user lost millions in XRP, and there is very limited recourse for affected users to recover their funds.
HOW COULD THIS HAVE BEEN PREVENTED?
Users should always check any wallet they receive against official sources. Check for news and updates on the official website or contact them if you are uncertain.
Platforms need to maintain proactive communication with their users, and Ledger likely could have done more to reach users by email or reach out to media for coverage to better protect their users. Better education material could also be provided to customers as part of their purchase experience.
CoinMarketCap: No Breach Despite 3.1M Email Address Leak (Jan 25)
3 Million CoinMarketCap Email Addresses Have Leaked - Crypto Briefing (Jan 26)
Ledger Breach Vastly Underestimated, 270,000 Clients Data Leaked - Crypto Briefing (Jan 30)
Ledger Adds Bitcoin Bounty and New Data Security After Hack - CoinDesk (Jan 31)
Ledger Cryptocurrency Wallet Data Breach Investigation | Migliaccio & Rathod LLP (Jan 31)
Addressing the July 2020 e-commerce and marketing data breach -- A Message From Ledger’s Leadership | Ledger (Jan 31)
Bug Bounty Program | Donjon (Jan 31)
@Ledger Twitter (Jan 31)
@btcriku Twitter (Jan 31)
Ledger Won’t Reimburse Users After Major Data Hack - Decrypt (Jan 31)
How to Handle the Ledger Hack & Data Breach - Naray Law (Jan 31)
Message by LEDGER’s CEO - Update on the July data breach. Despite the leak, your crypto assets are safe. | Ledger (Jan 31)
Ledger Faces Class-Action Lawsuit for 2020 Data Breach (Jan 31)
Physical addresses of 270K Ledger owners leaked on hacker forum (Jan 31)
After Ledger Hack, Who Can You Trust For Bitcoin Storage? (Jan 31)
6 Ways to Face the Data Breach | Ledger (Jan 31)
Ledger Hack: Who is Ledger? What Happened? Does the Ledger data breach affect everyone? - YouTube (Jan 31)
Ledger Hack: Am I Affected? Find Out if YOU or a Friend are Affected by the Ledger Data Breach - YouTube (Jan 31)
https://www.cryptovantage.com/news/is-ledger-still-safe-everything-we-learned-from-last-years-hack/ (Jan 31)
Class action lawsuit filed against crypto wallet firm Ledger, Shopify over 2020 customer data breach (Jan 31)
Ledger customers exposed as personal data is leaked (Jan 31)
Fake data breach alerts used to steal Ledger cryptocurrency wallets (Jan 31)
Ledger Cryptocurrency Wallet Phishing Scam - Binary Defense (Feb 6)
@xrpforensics Twitter (Feb 6)
Ledger Users Lost 1.1 Million XRP to Scammer | Finance Magnates (Feb 6)
What's the story with this email? : ledgerwallet (Feb 6)
Beware: A Very Sophisticated Ledger Phishing Attack Going on (Feb 6)
Ledger Live desktop is saying there is a 2.16 version available for update. I need confirmation that this isn't a scam lol : ledgerwallet (Feb 6)
XRP price today, XRP live marketcap, chart, and info | CoinMarketCap (Aug 7)
Ledger Live : Most trusted & secure crypto wallet | Ledger (Feb 13)
Fake Trezor App Steals $600k in BTC, Time to Rethink Crypto Security? (Feb 25)
Ledger Customers Targeted by ‘Convincing’ Phishing Attack - CoinDesk (Feb 27)
Update: Efforts to Protect Your Data and Prosecute The Scammers | Ledger (Feb 27)
Ledger data leak: A ‘simple mistake’ exposed 270K crypto wallet buyers (Feb 27)
Life as a “Ledger” Wallet Data Breach Victim (Feb 27)
@ledger Twitter (Feb 27)
Ledger, Shopify Hit with Consumer Complaint After Data Breach - Tech (Feb 27)
@UnderTheBreach Twitter (Feb 27)
Bitcoin Wallet Provider Ledger Compromised Again by Malicious Phishing Attack - Crypto Briefing (Feb 27)
Address: 1KBdR5jQ9unrGxevHnFdFwphpu1nS7AD6E | Blockchain Explorer (Jan 30)
Nasty Ledger wallet scams. And how to avoid them. - Who Took My Crypto (Mar 20)
New campaign of fake Ledger emails can steal your crypto - alfa.cash blog (Apr 29)
https://blog.coinbase.com/coinbase-security-tips-319f7dbcc660 (Jul 2)
