Back

Ledger Hardware Crypto Wallet Team Disclosed Data Breach, 1 Mln Users' Data Under Attack

Top-level hardware wallets producer Ledger announces it has disclosed and patched data breach with 1 mln users affected

article image
Cover image via stock.adobe.com

Today, July 29, 2020, the team behind the Ledger products revealed that a critical vulnerability had been disclosed two weeks ago in the Ledger e-commerce database. It has mostly affected the email addresses of Ledger purchasers, but it has also affected some personal information.

API key to blame for the leak

As announced by the Ledger team in their recent official statement, a participant in the Ledger bounty program contacted them on July 14 with information about a security breach. It was immediately fixed, but then the experts disclosed that the system had been further exploited on June 25.

A third-party attacker accessed the segments of e-commerce and promotional databases holding the email addresses of customers. Additionally, 9,500 users were exposed to a leak of order details: name, street address, phone number and the details of what they ordered.

During the investigation, Ledger's officers found out that the malefactor abused the API key. This API key was immediately deactivated and is no longer accessible.

The team highlights that, at press time, the database of 1 mln email addresses and 9,500 sets of user data is not for sale on the internet:

We are actively monitoring for evidence of the database being sold on the internet, and have found none thus far.

Funds are safe

Most importantly, the Ledger team is sure that this breach did not affect operations of popular Ledger hardware crypto wallets or the Ledger Live multi-platform application.

No sensitive payment information, such as passwords, PINs and other credentials are in peril. It is stressed that the malefactors have no way to access the crypto riches of Ledger users or their private keys and recovery phrases. However, the wallet team highly recommends its users to beware of phishing attemptssince this is the only fraud that could be initiated by malefactors through the information leaked.

The Ledger team filed a formal complaint with law enforcement and launched a series of internal and external white hat hacks to advance the level of system security.

Join our Telegram channel to get news even faster!

article writer image
Vladislav Sopov

Blockchain Analyst & Writer with scientific background. 5+ years in IT-analytics, 2+ years in blockchain.

Worked in independent analysis as well as in start-ups (Swap.online, Monoreto, Attic Lab etc.)