Ledger Breach Vastly Underestimated, 270,000 Clients Data Leaked
Ledger was initially hacked in July 2020, but recent reports now reveal the full extent of the summer breach.
- Earlier this summer, Ledger revealed a data breach that exposed over a million customers’ emails.
- At that time, the company reported minimal damage and quickly patched its system.
- New reports now reveal that the breach was much larger in breadth and depth.
Share this article
Based in France, Ledger is the largest cryptocurrency hardware wallet company. Despite the firm’s reputation, it failed to secure its database containing the personal data of those customers, according to reports.
Ledger Leak Vastly Underestimated
The company revealed a security error that gave hackers unauthorized access to a database containing the personal contact details of Ledger’s e-commerce clients. The details included email addresses, first and last names, home addresses, and phone numbers.
While Ledger first reported the breach in July 2020, the event’s actual details were only understood yesterday when hackers published the hacked data belonging to hundreds of thousands of people.
Overall, Ledger accidentally exposed phone numbers and home addresses belonging to more than 270,0000 customers. More than a million customers’ email addresses were also leaked from the marketing database.
Today we were alerted to the dump of the contents of a Ledger customer database on Raidforum. We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020.
— Ledger (@Ledger) December 20, 2020
Ledger had earlier reported that hackers had stolen the personal data of only 9,500 customers. The data was initially published on Raidforums and then spread to other websites like Intelx and many others.
Third-Party API Malfunctions
Ledger found out about the data breach on Jul. 14 during a bug bounty program. Even though the company fixed the issue immediately, it was too late.
Before the data breach, Ledger had allowed a marketing company (an unknown partner) access to its e-commerce and marketing database through an API.
But the API was misconfigured on Ledger’s website.
“The API key misconfiguration at issue has been running since Aug 9, 2018. Based on the information we have, we believe it was discovered and exploited from April 2020 to June 28, 2020,” Ledger reported.
The API key has now been deactivated and is no longer accessible.
Phishing Attacks, Personal Threats
Ledger said the data breach did not cause any direct threat to funds security of users. But experts worry that many customers’ safety is at risk forever.
Alon Gal, Co-Founder & CTO at security firm Hudson Rock said, “This leak holds major risk to the people affected by it. Individuals who purchased a Ledger tend to have high net worth in cryptocurrencies and will now be subject to both cyber harassments as well as physical harassments on a larger scale than experienced before.”
Since July, the breach caused a wave of phishing attempts from hackers. Ledger has also warned customers of many more phishing attempts to come.
As the leak’s breadth is becoming better known, affected clients are now reporting ransom threats via email. As Decrypt reported, an attacker has identified one client by their crypto holdings and home address.
The threat demands the victim pay them $500 or face physical violence.
Wouldn't want to be a Ledger customer right now 👇 pic.twitter.com/wZoH3OwTLL
— Riku Raisanen (@rikuraisanen) December 21, 2020