Today, July 29, 2020, the team behind the Ledger products revealed that a critical vulnerability had been disclosed two weeks ago in the Ledger e-commerce database. It has mostly affected the email addresses of Ledger purchasers, but it has also affected some personal information.
API key to blame for the leak
As announced by the Ledger team in their recent official statement, a participant in the Ledger bounty program contacted them on July 14 with information about a security breach. It was immediately fixed, but then the experts disclosed that the system had been further exploited on June 25.
A researcher participating in our bounty program made us aware of a potential data breach in our marketing database.
—Ledger (@Ledger) July 29, 2020
We immediately investigated and fixed it.
Your payment information and crypto funds are safe.
More details: https://t.co/dpnI2tdfmO
A third-party attacker accessed the segments of e-commerce and promotional databases holding the email addresses of customers. Additionally, 9,500 users were exposed to a leak of order details: name, street address, phone number and the details of what they ordered.
During the investigation, Ledger's officers found out that the malefactor abused the API key. This API key was immediately deactivated and is no longer accessible.
The team highlights that, at press time, the database of 1 mln email addresses and 9,500 sets of user data is not for sale on the internet:
We are actively monitoring for evidence of the database being sold on the internet, and have found none thus far.
Funds are safe
Most importantly, the Ledger team is sure that this breach did not affect operations of popular Ledger hardware crypto wallets or the Ledger Live multi-platform application.
No sensitive payment information, such as passwords, PINs and other credentials are in peril. It is stressed that the malefactors have no way to access the crypto riches of Ledger users or their private keys and recovery phrases. However, the wallet team highly recommends its users to beware of phishing attempts—since this is the only fraud that could be initiated by malefactors through the information leaked.
The Ledger team filed a formal complaint with law enforcement and launched a series of internal and external white hat hacks to advance the level of system security.