Ledger Database Dump: Was My Data Leaked and What To Do Next? (UPDATED)
Following the hackers' massive dump of customers' personal information stolen from France-based major hardware wallet manufacturer Ledger, the Cryptoverse has been hard at work providing ways for users to check if they've been included in the breach, as well as suggestions on what to do next. They also shared advice to all crypto-buyers on how to potentially make safer crypto purchases. (Updated at 16:14 UTC: updates in bold.)
As is well known by now, a database reportedly containing more than a million email addresses of Ledger users and more than 270,000 physical addresses and phone numbers, was dumped on Raidforums, a website for sharing hacked databases. "We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020," said Ledger.
As Ledger stated earlier, this leak doesn't contain passwords, recovery phrases, or payment information (customers' phrases are not stored in the first place) - which further underlines the warning not to share the 24-word recovery phrase with absolutely anybody, even if they say they are Ledger.
"Since we discovered the data breach in June 2020, we worked with an external security organization to conduct a forensic review. The review confirmed that only 9,500 individuals were impacted, all of whom were personally contacted by Ledger Support. Since the phishing attacks started to occur, we anticipated more information could have leaked and continued to notify all users via Twitter and email," a Ledger spokesperson told Cryptonews.com.
Later, in an email to its clients, the company confirmed that:
"The database publicly released yesterday shows that a larger subset of detailed information has been leaked, approximately 272,000 detailed information such as postal address, last name, first name and telephone number of our customers. These details are not available in the logs that we were able to analyze."
"If you are part of the detailed personal information subset, you will receive a specific email notifying you within the next 24 hours (check your spam box)," they said, adding that they have taken down more than 170 phishing websites since the original breach.
Also, they have set up a webpage sharing the anatomy of phishing attacks so users can avoid falling for them and report any new attacks: https://www.ledger.com/phishing-campaigns-status.
There are some ways you can check if your information was leaked. Cybersecurity site haveibeenpwned.com, recommended by Ledger itself, said it had already listed 69% of the addresses since the original leak, and many commenters, such as Casa's Chief Technology Officer Jameson Lopp and Ethereum (ETH) core developer Hudson Jameson recommended checking if you're a part of the database leak there.
I've seen one swapped out with PDF files - those are just as dangerous as *.exe files, as malicious scripts can be… https://t.co/ei67yr6I2e— Fiona Kobayashi 🧠 (@fifikobayashi)
"If your data was compromised, make sure you are not using your number for 2FA [two-factor authentication] anywhere. Change to a VoIP [Voice over IP] number, or GA," advised economist and trader Alex Krüger. Popular crypto trader 'notsofast' also suggested using a new phone number and email address, as well as keeping hard copies in a different safe place instead of one's home (attorney or safety deposit box if you can afford it), and perhaps keeping the old number on an old device and "log any non-whitelisted texts/calls/phishes to that number, as a record in case harassment/abuse escalates (THANKS Ledger 🤬)."
Furthermore, people are warning affected users to take steps to protect themselves against SIM swaps. Others too are arguing for using PO boxes, pseudonyms, burner numbers, and anonymous email accounts for crypto-related purchases in general.
might be wise to plan ahead and:— Meltem Demirors (@Melt_Dem) December 21, 2020
- email: use trashmail / yopmail to generate new random email addresses for every site
- phone: use an app generate fake #s or get a second phone to manage 2FA
- mail: get a PO box or mail forwarding service https://t.co/Ku25oz5b2R
As previously reported, security experts speaking to Cryptonews.com had affirmed that much can be done by the industry and individuals to reduce the scope for breaches, and that the likeliest attacks, such as the Ledger breach, are the ones least likely to steal actual private key or wallet info.
"Although it's difficult to stay constantly vigilant, investors should scrutinize each instance when they're asking to provide personally identifiable information that can be tied to their ownership of crypto assets," said Developer Daniel Ternyak.
Possible escalation of abuse
'Notsofast' is far from the only one who believes that the abuse will escalate. The harassment has been on for months already. As reported, scammers have been posing as Ledger via emails and texts in an attempt to trick users into giving them their seed phrases, and occasionally they appear to have succeeded, draining victims' wallets. The leak's effect seems to have "spread" to Trezor users as well, as they've been a target recently too. Some are saying that they've been getting these scam messages every couple of days.
And there are those who think that the abuse may go offline as well. "Is there an option that ledgerhack doesn't end in torture, robbery, blackmailing or murder?," asked Bitcoin blogger Christoph Bergmann. Network security firm Hudson Rock's Chief Technology Officer Alon Gal tweeted that the leak and the subsequent dump pose a "major risk" to those affected, arguing that those who bought Ledger often hold a lot of crypto in it, "and will now be subject to both cyber harassments as well as physical harassments in a larger scale than experienced before."
The $5 wrench attack. Hear it's very effective. pic.twitter.com/5BcN4idgsr— Alex Krüger (@krugermacro) December 21, 2020
Many commenters are furious, both about the leak and Ledger's response at the time and now. "Imo this Ledger leak is unforgivable," said popular crypto researcher Hasu. You simply can't sell hardware wallets and store the personal information of your customers on an online server." As there seems to be no end to the problems caused by the original leak, there also seem to be increasingly more and louder voices online calling for a lawsuit against the wallet maker.
On Ledger's part, they said in their Twitter thread that they had alerted the authorities and the users of the breach, hired a new Chief Information Security Officer and executed penetration tests and forensic analysis with external security firms, among other steps made since July. We asked Ledger for comment.
Please change your plans, do blockchains right.— Gregory Luneau (@LuneauGregory) December 21, 2020
"The only way to secure data is not to collect and store it in the first place; no one is able to secure large amounts of data." @aantonop https://t.co/0QuLhcUs5T
1 mio bitcoiners paid money for a) having worse security than with a paper wallet, b) getting worse usability than with a normal wallet and c) getting ultimately doxxed.— 🚀Christoph Bergmann🚀 (@BTC_de_Blog) December 21, 2020
Maybe we are not as smart as we think we are ...
@lopp In many jurisdictions you are not allowed to setup a PO box without doxing yourself to another company. This… https://t.co/Rx958YxwPp— Chris Ellis (@MrChrisEllis)
I can’t see how that scenario would play out though. That database has no info about how big one’s bags are. If you’re a known whale, bad actors prob. already know enough about you to rob you.— TheFockinFury (@TheFockinFury) December 21, 2020
If someone tries to jack my Ledger they will be sorely disappointed with the haul 🤣
I think this is the end of @Ledger. I hope they’ll get sued into oblivion. If not I’ll personally tell everyone who asks to stay away from them. They not only didn’t protect client data but they lied to clients about it. Their core biz is security. They don’t deserve to survive.— Marc van der Chijs (@marcvanderchijs) December 21, 2020
4. Don't be scared, just be vigilant. Understand that this fraudster is only using your dox data to craft the *appe… https://t.co/IkDQdCckJp— notsofast (@notsofast)
Personal Data Leaks In Crypto Are Inevitable, Here’s What Can Be Done
Crypto And Blockchain Adoption Depends on Security, Trust & User Experience
Crypto Security in 2021: More Threats Against DeFi and Individual Users
A Bitcoin Multisig Primer: How Does it Work & What You Need To Know
Police in Latvia Thwart Brutal Crypto Theft and Murder Plot
Electrum Wallet Phishing Attackers Steal USD 22M in Bitcoin - Report