Ledger Database Dump: Was My Data Leaked and What To Do Next? (UPDATED)

Sead Fadilpašić
Last updated: | 5 min read

Following the hackers’ massive dump of customers’ personal information stolen from France-based major hardware wallet manufacturer Ledger, the Cryptoverse has been hard at work providing ways for users to check if they’ve been included in the breach, as well as suggestions on what to do next. They also shared advice to all crypto-buyers on how to potentially make safer crypto purchases. (Updated at 16:14 UTC: updates in bold.)

Source: Adobe/Benjamin Clapp

As is well known by now, a database reportedly containing more than a million email addresses of Ledger users and more than 270,000 physical addresses and phone numbers, was dumped on Raidforums, a website for sharing hacked databases. “We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020,” said Ledger.

As Ledger stated earlier, this leak doesn’t contain passwords, recovery phrases, or payment information (customers’ phrases are not stored in the first place) – which further underlines the warning not to share the 24-word recovery phrase with absolutely anybody, even if they say they are Ledger.

“Since we discovered the data breach in June 2020, we worked with an external security organization to conduct a forensic review. The review confirmed that only 9,500 individuals were impacted, all of whom were personally contacted by Ledger Support. Since the phishing attacks started to occur, we anticipated more information could have leaked and continued to notify all users via Twitter and email,” a Ledger spokesperson told Cryptonews.com.

Later, in an email to its clients, the company confirmed that:

“The database publicly released yesterday shows that a larger subset of detailed information has been leaked, approximately 272,000 detailed information such as postal address, last name, first name and telephone number of our customers. These details are not available in the logs that we were able to analyze.”

“If you are part of the detailed personal information subset, you will receive a specific email notifying you within the next 24 hours (check your spam box),” they said, adding that they have taken down more than 170 phishing websites since the original breach.

Also, they have set up a webpage sharing the anatomy of phishing attacks so users can avoid falling for them and report any new attacks: https://www.ledger.com/phishing-campaigns-status.

There are some ways you can check if your information was leaked. Cybersecurity site haveibeenpwned.com, recommended by Ledger itself, said it had already listed 69% of the addresses since the original leak, and many commenters, such as Casa‘s Chief Technology Officer Jameson Lopp and Ethereum (ETH) core developer Hudson Jameson recommended checking if you’re a part of the database leak there.

What now?

“If your data was compromised, make sure you are not using your number for 2FA [two-factor authentication] anywhere. Change to a VoIP [Voice over IP] number, or GA,” advised economist and trader Alex Krüger. Popular crypto trader ‘notsofast’ also suggested using a new phone number and email address, as well as keeping hard copies in a different safe place instead of one’s home (attorney or safety deposit box if you can afford it), and perhaps keeping the old number on an old device and “log any non-whitelisted texts/calls/phishes to that number, as a record in case harassment/abuse escalates (THANKS Ledger 🤬).”

Furthermore, people are warning affected users to take steps to protect themselves against SIM swaps. Others too are arguing for using PO boxes, pseudonyms, burner numbers, and anonymous email accounts for crypto-related purchases in general.

As previously reported, security experts speaking to Cryptonews.com had affirmed that much can be done by the industry and individuals to reduce the scope for breaches, and that the likeliest attacks, such as the Ledger breach, are the ones least likely to steal actual private key or wallet info.

“Although it’s difficult to stay constantly vigilant, investors should scrutinize each instance when they’re asking to provide personally identifiable information that can be tied to their ownership of crypto assets,” said Developer Daniel Ternyak.

Possible escalation of abuse

‘Notsofast’ is far from the only one who believes that the abuse will escalate. The harassment has been on for months already. As reported, scammers have been posing as Ledger via emails and texts in an attempt to trick users into giving them their seed phrases, and occasionally they appear to have succeeded, draining victims’ wallets. The leak’s effect seems to have “spread” to Trezor users as well, as they’ve been a target recently too. Some are saying that they’ve been getting these scam messages every couple of days.

And there are those who think that the abuse may go offline as well. “Is there an option that ledgerhack doesn’t end in torture, robbery, blackmailing or murder?,” asked Bitcoin blogger Christoph Bergmann. Network security firm Hudson Rock‘s Chief Technology Officer Alon Gal tweeted that the leak and the subsequent dump pose a “major risk” to those affected, arguing that those who bought Ledger often hold a lot of crypto in it, “and will now be subject to both cyber harassments as well as physical harassments in a larger scale than experienced before.”

Many commenters are furious, both about the leak and Ledger’s response at the time and now. “Imo this Ledger leak is unforgivable,” said popular crypto researcher Hasu. You simply can’t sell hardware wallets and store the personal information of your customers on an online server.” As there seems to be no end to the problems caused by the original leak, there also seem to be increasingly more and louder voices online calling for a lawsuit against the wallet maker.

On Ledger’s part, they said in their Twitter thread that they had alerted the authorities and the users of the breach, hired a new Chief Information Security Officer and executed penetration tests and forensic analysis with external security firms, among other steps made since July. We asked Ledger for comment.
____

Other reactions:

__

__

__

__

__

__

__

__

__

___

Learn more:
Personal Data Leaks In Crypto Are Inevitable, Here’s What Can Be Done
Crypto And Blockchain Adoption Depends on Security, Trust & User Experience
Crypto Security in 2021: More Threats Against DeFi and Individual Users
A Bitcoin Multisig Primer: How Does it Work & What You Need To Know
Police in Latvia Thwart Brutal Crypto Theft and Murder Plot
Electrum Wallet Phishing Attackers Steal USD 22M in Bitcoin – Report