Ledger data leak: A ‘simple mistake’ exposed 270K crypto wallet buyers

Published at: Dec. 24, 2020

The hacker likely responsible for Ledger’s security breach in July recently dumped a large amount of data exposing the personal information of over 270,000 customers, including phone numbers and physical addresses. The leak also included 1 million emails of Ledger wallet owners and customers that were signed up to the company’s newsletter service.

Amid the furor caused by the incident, Ledger says its focus is on improving its security infrastructure rather than reimbursing users for any losses that may occur. Meanwhile, some affected customers are reportedly considering taking legal action against the company in the form of a class-action lawsuit.

The Ledger customer data leak also offers fresh fodder for the debate against implementing more Know Your Customer compliance protocols, critics of which argue that such measures encourage targeted cyber attacks aimed at exposing critical personal data.

Over 270,000 personal account details compromised

As mentioned, the hacker presumably responsible for breaching the Ledger e-commerce database back in July dumped the personal information of thousands of affected users online. The company was blamed on social media for not providing better protection of user data and downplaying the extent of the initial breach. At the time, the hardware wallet maker declared that only 9,500 customers were affected by the security breach.

Addressing the disparity in the reported number of people affected, Ledger issued a statement on Dec. 21 declaring that the leak covered more material than it was able to analyze earlier in the year. However, the company affirmed that customer funds remained safe, adding: “This data breach has no link nor impact on our hardware wallets, the app or your funds. Your crypto assets are safe. While very truly and sincerely regrettable, this breach concerns only e-commerce related information.”

Responding to the incident via Twitter, Ledger CEO Pascal Gauthier remarked that the leak was indicative of the growing threat of cyberattacks. Appearing on the What Bitcoin Did podcast with Peter McCormack, Gauthier commented on the nature of the breach, stating that it was the result of a mistake in the company’s e-commerce stack.

“It’s a wrong API key that got coded on the map client to import the database from the store that got coded in the wrong placements and so, therefore, was coded where it should not have been coded and exposed the database to a simple attack,” explained Gauthier.

Amid the reactions to the leak, some cybersecurity experts highlighted that the incident was another pointer to the lack of encryption deployment by database administrators in storing user data. The Ledger CEO addressed the lack of encryption on the API keys, adding that it was an honest mistake and not a deliberate attempt to jeopardize customer safety by failing to hash API keys.

Commenting on the leak, Ruben Merre, CEO of hardware wallet maker NGRAVE, remarked that the incident was reflective of rapid growth among crypto firms coming at the expense of security considerations. He added: “So many online platforms get hacked, and not necessarily because of the hackers’ skill. Often, platforms just have bad security governance, let alone implementation.”

‘Scareware’ and other risk factors

The data leak has triggered another round of phishing attacks as rogue actors, now armed with the emails of Ledger users, attempt to trick the wallet’s customers into revealing their 24-word seed phrase. Even before the data dump, such phony emails were a regular occurrence.

However, the exposure of phone numbers and personal addresses potentially opens up Ledger users to more risk factors. Some users have reported attempted SIM swapping attacks on their numbers with the hacker presumably trying to compromise two-factor authorization protocols.

Crypto investors have been targets of SIM swap attacks in the past. Back in June, Richard Yuan Li was charged with conspiracy to commit wire fraud in connection with a series of SIM swap attacks that targeted over 20 individuals.

Apart from phishing and SIM swap exploits, the data leak also opens up the possibility of the risk factors moving beyond scareware into the realm of actual physical attacks. Indeed, some users affected by the incident claim to have received threatening messages asking for payments or risk possible home invasions.

The Ledger CEO has acknowledged the possibility of physical attacks as a result of the company’s oversight, and has also assured users that their hardware wallet devices contained several protective protocols to safeguard against the theft of funds. Among these security measures is the use of incorrect pincode entries to format devices or a second password that displays a dummy account, leaving the owner’s actual funds safe from bad actors.

Additionally, the consensus among security experts on social media is that consumers should be using post office box addresses or other public pickup locations instead of their actual home addresses for sensitive items like a Ledger hard wallet. For those with compromised phone numbers, the best line of action appears to be getting a new number and using a new email address to communicate the change to important contacts.

While affected customers continue to deal with the fallout of the leak, Ledger says it is working to prevent future occurrences. In a statement to Cointelegraph, the company stated:

“We are doing everything in our power to cease these attacks and avoid situations like this in the future. Ledger has a set of measures in place to protect our users from falling victims to phishing attacks. We have set up a webpage sharing the anatomy of phishing attacks so users can avoid falling for them and report any new attacks.”

Affected users threaten legal action

Some affected users began advocating for legal action against Ledger immediately following the reported leak. There is even a “Ledger wallet leak” subreddit on the Reddit platform, where users are discussing possible modalities for a class-action lawsuit.

With its headquarters in Paris, Ledger falls under the laws of the European Union. In November, the European Parliament adopted legislative amendments that will allow EU customers to institute class-action lawsuits against companies operating in the region within the next two years.

According to the ruling at the time, once passed into law, class-action lawsuits can be filed against companies operating in the EU for cases involving financial services, tourism and data protection, among others.

Ledger’s EU customers will require a qualified consumer protection body or some other recognized entity to represent the complainants. However, unlike U.S. laws, punitive damages from EU class-action lawsuits are restricted to the actual losses incurred by the class of plaintiffs.

Apart from customers filing a lawsuit against the company, the data leak might also constitute a breach of privacy in the eyes of European regulators, specifically under the EU General Data Protection Regulation. In such situations, the EU has the ability to fine Ledger up to 4% of its revenue.

Indeed, with the Ledger CEO having admitted to the company anonymizing user data improperly, the company could come under scrutiny from EU officials. Recital 26 of the GDPR mandates all companies to ensure complete removal of all the information that can identify users from their cache of stored or processed data.

Tags
Related Posts
Hardware crypto wallet sales increase as centralized exchanges scramble
Blockchain analysis firm Glassnode recently characterized the 2022 bear market as the worst on record. This seems to be the case due to events such as the war in Ukraine and rising inflation, coupled with serious problems among centralized crypto exchanges. Yet, the bear market hasn’t negatively impacted all players in the crypto ecosystem. Hardware wallet providers seem to be benefiting from the massive amount of crypto withdrawals from centralized exchanges. Pascal Gauthier, CEO of hardware wallet crypto firm Ledger, told Cointelegraph that the company’s revenue dropped about 90% during the 2018 crypto winter, but this hasn’t been the case …
Decentralization / July 6, 2022
Secure Bitcoin self-custody: Balancing safety and ease of use
Bitcoin’s supply is capped at 21 million, but a significant proportion of that total sum is likely lost forever. This situation is due to a variety of reasons such as lost private keys and discarded storage devices containing substantial amounts of Bitcoin (BTC). When Bitcoin owners are not being careless with their wallet passwords, they can sometimes be targeted by hackers looking to steal their precious crypto. Those who utilize third-party custodial solutions place their Bitcoin fortune at the mercy of the security protocols adopted by such services. Indeed, several attack vectors are constantly being utilized to try and gain …
Technology / Jan. 17, 2021
Did rapper YG just flex a $30M Bitcoin stack in his new music video?
Keenon Dequan Ray Jackson, the rapper who goes by the name YG appears to show off a fat $30 million stack of Bitcoin (BTC) in his latest music video. The reveal appears to either be an eye-watering — but possibly fake — flex, or a crafty bit of product placement, as a cold storage device from crypto wallet provider Ledger is featured prominently in the video. The social team from Ledger was on it immediately too: We see you! @YG knows how to secure those bags of #bitcoin … not your keys, no your coins. — Ledger (@Ledger) February 11, …
Music / March 25, 2022
Ledger hardware wallets hit by the FTX earthquake, CTO says
Hardware-based cryptocurrency wallet provider Ledger has experienced some issues due to massive outflows from crypto exchanges amid the FTX bloodbath, according to its chief technology officer. Ledger saw a “massive usage” of their platforms and suffered a “few scalability challenges” on Nov. 9, Ledger CTO Charles Guillemet reported in a statement on Twitter. Guillemet reasoned Ledger’s issues by the outcomes of the ongoing crisis of a major global cryptocurrency exchange, FTX. The CTO said that crypto investors have been increasingly offloading their holdings from crypto exchanges to Ledger, stating: “ After the FTX earthquake, there's a massive outflow from exchanges …
Bitcoin / Nov. 10, 2022
Binance makes moves in hardware wallet industry with new investment
The cryptocurrency exchange Binance is making a move in the hardware wallet industry, with its venture capital arm investing in the cold wallet platform Ngrave. Binance Labs has made a strategic investment in the Belgian hardware wallet firm Ngrave and will lead its upcoming Series A round, the firm officially announced on Nov. 21. Founded in Belgium in 2018, Ngrave specializes in self-custody, providing a security suite comprising three major elements, including connectionless hardware wallet Zero, key backup tool Graphene and the Liquid mobile app. Yi He, co-founder of Binance and head of Binance Labs, pinpointed that security remains one …
Bitcoin / Nov. 21, 2022