Ledger Breach Vastly Underestimated, 270,000 Clients Data Leaked

Ledger was initially hacked in July 2020, but recent reports now reveal the full extent of the summer breach.

Key Takeaways

  • Earlier this summer, Ledger revealed a data breach that exposed over a million customers’ emails.
  • At that time, the company reported minimal damage and quickly patched its system.
  • New reports now reveal that the breach was much larger in breadth and depth.

Share this article

Based in France, Ledger is the largest cryptocurrency hardware wallet company. Despite the firm’s reputation, it failed to secure its database containing the personal data of those customers, according to reports.

Ledger Leak Vastly Underestimated

The company revealed a security error that gave hackers unauthorized access to a database containing the personal contact details of Ledger’s e-commerce clients. The details included email addresses, first and last names, home addresses, and phone numbers.

While Ledger first reported the breach in July 2020, the event’s actual details were only understood yesterday when hackers published the hacked data belonging to hundreds of thousands of people.

Overall, Ledger accidentally exposed phone numbers and home addresses belonging to more than 270,0000 customers.  More than a million customers’ email addresses were also leaked from the marketing database.

Ledger had earlier reported that hackers had stolen the personal data of only 9,500 customers. The data was initially published on Raidforums and then spread to other websites like Intelx and many others.

Source: Alon Gal, CEO of security firm Hudson Rock
Source: Alon Gal, CEO of security firm Hudson Rock

Third-Party API Malfunctions

Ledger found out about the data breach on Jul. 14 during a bug bounty program. Even though the company fixed the issue immediately, it was too late. 

Before the data breach, Ledger had allowed a marketing company (an unknown partner) access to its e-commerce and marketing database through an API. 

But the API was misconfigured on Ledger’s website. 

“The API key misconfiguration at issue has been running since Aug 9, 2018. Based on the information we have, we believe it was discovered and exploited from April 2020 to June 28, 2020,” Ledger reported.

The API key has now been deactivated and is no longer accessible.

Phishing Attacks, Personal Threats

Ledger said the data breach did not cause any direct threat to funds security of users. But experts worry that many customers’ safety is at risk forever.

Alon Gal, Co-Founder & CTO at security firm Hudson Rock said, “This leak holds major risk to the people affected by it. Individuals who purchased a Ledger tend to have high net worth in cryptocurrencies and will now be subject to both cyber harassments as well as physical harassments on a larger scale than experienced before.”

Since July, the breach caused a wave of phishing attempts from hackers. Ledger has also warned customers of many more phishing attempts to come.

As the leak’s breadth is becoming better known, affected clients are now reporting ransom threats via email. As Decrypt reported, an attacker has identified one client by their crypto holdings and home address.

The threat demands the victim pay them $500 or face physical violence.

Share this article

Loading...