Ledger, Trezor and Others: Hack Allegations Are Baseless, Lack Proof

Published at: May 27, 2020

According to a report by an online monitoring web portal, Under the Breach, a hacker was able to penetrate the privacy protocols of major firms such as Trezor, Ledger and Bnktothefuture on May 24 and walk away with a host of sensitive customer data, including email addresses, home addresses and phone numbers. 

The documents posted by Under the Breach claimed that the hacker was in possession of three large databases that allegedly contained the details of more than 80,000 customers. In this regard, it was also rumored that the hacker was able to procure the above-stated information via an exploit that was linked to Shopify, an e-commerce firm that provides its services to a number of major crypto firms.

It now appears as though this so-called data breach has been a major false-flag, since many of the companies linked with the hack have come forth to say that Under the Breach’s claims are not grounded in any factual evidence. For example, a spokesperson for Shopify told Cointelegraph: “We have investigated these claims and found no evidence to substantiate them, and no evidence of any compromise of Shopify’s systems.”

Similarly, Ledger’s security team moved to allay customer fears that their funds may potentially be in jeopardy. The firm released a detailed blog post stating that the rumor about the leaked customer data being from Ledger’s e-shop was a hoax and that the company’s security team had investigated the sample data and confirmed that it did not match its native client information.

Lastly, in addressing concerns regarding the hacker’s claim that they were able to gain access to Ledger’s client database through a 2016 Shopify exploit, the hardware wallet manufacturer’s security team stated that while Ledger currently employs Shopify as a third-party provider for its e-commerce operations, the same was not the case back in 2016.

Companies debunk the breach

To get a better overview of all that transpired since the hacking rumor went viral online, Cointelegraph reached out to Matthieu Riou, chief technical officer and co-founder of BlockCypher, a cloud-optimized platform powering blockchain applications that allegedly had its data compromised. Riou claimed that after performing a thorough analysis of the matter, his team reached a conclusion that the leak in question was more than four years old and is simply being recirculated. He further clarified:

“For example the number of records as reported by the hacker (2358 users) is particularly telling. We thankfully now have quite a few more users than that. But this number is consistent with a March 2016 data leak we had on an older system and acknowledged at the time.”

Not only that, Riou also pointed out that since the 2016 leak, his firm’s developer team has completely rewritten its user and API token management web application from scratch — as a result of which, users have had to re-register on the new platform with a different password. He added: “We’ve now been running on the new improved platform for several years and have had no issues. We can’t speak as to the severity or recentness of the data dumps originating from other firms.”

This sentiment was echoed by Peter Vecchiarelli, operations manager for Augur, a decentralized betting protocol that the hacker claimed to have compromised and stolen customer data from. Vecchiarelli stated that the “leaked” list associated with Augur was the same one allegedly acquired by hackers back in 2016. He pointed out that upon conducting a cross-reference test, his team found that the leaked list did not match any of Augur’s private email lists for marketing or crowd sale, and was merely a downloaded list of all the individuals who had set their email addresses to “publicly viewable” from a previous Slack channel operated by the company.

Lastly, Marek Palatinus, CEO of SatoshiLabs — the company behind Trezor’s various hardware wallets — told Cointelegraph that it is important for people to understand that the “data breach is not legit” and consists primarily of information that is fabricated. For example, he pointed out that Trezor’s e-shop does not run on Shopify and that the firm makes use of a niche anonymization protocol to minimize the impact of potential data breaches such as this one. Furthermore, Palantus stated:

“Even if the data was leaked from any of the mentioned party e-shops, the hardware wallet secret keys were not exposed, therefore the hacker or any other potential person that gets hold of the database won’t get access to your secret keys stored on a hardware wallet. Trezor does not collect any data from your hardware wallet or Trezor Wallet app.”

Crypto exchanges’ rubbish hack claims

Another aspect of this recent data breach is that the hacker claimed to have obtained a host of customer information from prominent crypto exchanges and investment platforms such as Coinigy, BitSo and Plutus. 

Cointelegraph spoke with Coinigy co-founder William Kehl, who stated that one of Coinigy’s third-party Stripe accounts was compromised back in 2016, and as a result, an attacker was able to access info related to more than 500 customers. This data included the last four digits of customers’ credit card numbers, their names and their addresses along with associated emails. However, as part of the above-stated breach, Kehl maintains that none of Coinigy’s internal databases — including user accounts, passwords or API keys — were compromised. He added:

“We were immediately alerted to the incident when it occurred, and we immediately locked these accounts and our entire platform down, required all users to perform a complete security audit including but not limited to new passwords and API keys before they were able to log back into the platform. Again, what you see offered by the ‘hacker’ was not acquired from our database, but through gaining momentary access to some third party services we used.”

Similarly, addressing the rumors surrounding the hack, a spokesperson for Mexican cryptocurrency exchange Bitso told Cointelegraph that having investigated this alleged threat, the company’s security team has not found anything out of the ordinary. He added:

“We activated the pre-established protocols to review this potential event, and we will be informing users. At this time, we have not found evidence that a third party has sufficient information to access our customers’ accounts.”

The same thoughts were mirrored by David Morrison, community manager for Plutus, a crypto-fintech firm. Morrison stated that after having investigated several possible attack vectors, his company’s security team was not able to find any evidence of a hacking attempt. He said, “So far we have not found any solid evidence of successful hacking attempts. Regardless, we are taking all precautions possible and informing our customers appropriately.”

Jumping the gun

On May 19, BlockFi reported a data breach that arose due to a sim-swap attack, resulting in compromised customer data held by the company, such as full names, email addresses, date of birth and physical addresses. Similarly, Etana, a custody firm that services the crypto exchange Kraken, also fell victim to a similar data breach last month.

While customer funds were reportedly not affected in any way throughout the aforementioned cases, whenever a story about some platform being compromised, people tend to jump to the worst conclusion right away.

Tags
Related Posts
Hacker Sells Tens of Thousands of Ledger, Tezor, and Keepkey Users’ Info
The hacker that breached the Ethereum.org forum is allegedly selling the databases for the three most-popular crypto hard wallets — Ledger, Trezor, and KeepKey. The three databases contain the name, address, phone number, and email for more than 80,000 users combined, however, they do not contain passwords for the accounts. The hacker has also recently listed the SQL database for online investment platform, BnkToTheFuture. Ledger and Trezor databases reportedly compromised On May 24, cyber crime monitoring website, Under the Breach, spotted the hacker’s new listings for the databases of the top hardware wallet providers. The hacker claims to be in …
Technology / May 24, 2020
Trezor Takes a Shot at Ledger After the Hack
Following Ledger's confirmed data breach on June 17, competing hardware wallet manufacturer Trezor cheekily made their followers aware that they frequently purge their systems of all customer order data, including email addresses — apparently every 90 days. Trezor also added a coupon in its tweet that offers 10% discount in its shop, and the code is “DATAPRIVACY.” However, despite the measures announced in the tweet, people asked the company if their “database backups and logs” will be included in the sensitive data purge every 90 days. No response has been provided by Trezor as of press time. Ledger already notified …
Technology / July 29, 2020
Stolen Trezor, Ledger and KeepKey Databases Are a ‘Scam,’ Says SatoshiLabs
The hacker claiming to be selling user databases from top hardware wallet manufacturers Ledger, Trezor, and KeepKey appears to actually be peddling bunk, according to SatoshiLabs. On May 24, cybercrime monitoring blog Under the Breach reported that a hacker had begun advertising the customer databases of popular hardware wallet companies for sale. The data purportedly included the full names and physical addresses for over 80,000 user accounts. Under the Breach tweeted screenshots suggesting that the hacker obtained the databases by exploiting a vulnerability of popular e-commerce platform Shopify. “Don’t offer me low dolar, only big money allowed,” the hacker warns …
Blockchain / May 25, 2020
Simple in practice: Crypto education is key to curbing phishing scams
As the global crypto economy continues to prosper, with Bitcoin (BTC) currently occupying the $15,500 region, questions regarding the overall safety and security of digital assets continue to persist, especially in the wake of a new scam whereby hackers made use of a phishing email to direct users to a fake Ledger website. According to various reports, victims were scammed to the tune of 1,150,000 XRP, worth approximately $290,000. Dave Jevans, CEO of blockchain intelligence firm CipherTrace and chairman of Anti-Phishing Working Group, told Cointelegraph, “Ledger should clearly have a more aggressive defensive domain acquisition strategy, as look-alike domains were …
Technology / Nov. 11, 2020
Ledger Discloses Five Reported Vulnerabilities in Two Models of Trezor Hardware Wallets
Major hardware wallets manufacturer Ledger has unveiled vulnerabilities in its direct competitor Trezor’s devices, according to a report published on Monday, March. 11. As of press time, Trezor was not immediately available to comment on Ledger’s findings. The study states that the vulnerabilities were found by Attack Lab, the company’s department that hacks into both its own and competitors’ devices to improve security. Ledger claims that it has repeatedly addressed Trezor about weaknesses in their Trezor One and Trezor T wallets, and has decided to make them public after the responsible disclosure period ended. The first issue is related to …
Blockchain / March 11, 2019