Ledger Suffered Data Breach, Names, Phone Numbers, Postal Addresses Leaked (UPDATED)
France-based major hardware wallet provider Ledger has confessed that it was been hit with a data breach on June 17 that appears to have allowed a “third party” access to at least 1 million of its users’ contact details. (Updated at 10:13 UTC: updates in bold.)
The firm took to Twitter to state that its marketing and e-commerce database was compromised, exposing its customers’ contact details and order information, although Ledger claimed that there was no spill of crypto holdings or client transaction information.
Ledger notified their clients by email today. In a separate blog post, the firm added that it was made aware of the breach on July 14 by “a researcher participating in a bounty program.”
The company also wrote,
“Your funds are safe and have not been compromised. You are the only in control of your crypto.”
And Ledger claimed that it had “immediately investigated and fixed” the issue.
A researcher participating in our bounty program made us aware of a potential data breach in our marketing database… https://t.co/R4TM9cvGRi— Ledger (@Ledger)
However, the scale of the breach appears to be considerable. In an FAQ post, the company explained,
“We know that this database comprises approximately 1 million email addresses that could have been leaked and that 9,500 more detailed personal information leaked as well such as first name, last name, phone number and postal address and products purchased [sic]. More detailed personal information could have been exposed.”
"We are in the process of providing detailed information to that subset via email. These concerned clients will receive a dedicated email at 5PM CET [15:00 UTC]," the company told Cryptonews.com.
Ledger explained that an “unauthorized third party got access to a portion of our e-commerce and marketing database through a third party’s API key that was misconfigured on our website, which allowed unauthorized access to our customers’ contact details and orders data.”
The company appears to have gone into damage limitation mode, with a barrage of PR claiming that no client crypto has been lost and “mainly email addresses” were exposed in the breach.
Pascal Gauthier, Ledger’s CEO, penned a letter to clients, warning them to be on the lookout for phishing attacks in the wake of the breach.
"The most common attack a scammer can perform with access to email addresses are phishing attacks, so we urge our users to exercise caution, and to remember that Ledger will never ask for your 24-word recovery phrase. Treat anyone who asks for your financial information as a potential scammer," the company told Cryptonews.com.
Also, Gauthier stated that Ledger has been in contact with the French data protection authority (the Commission nationale de l'informatique et des libertés or CNIL) and says Ledger is “continuing to work with authorities throughout the legal process.”
“We are continuously monitoring for evidence of our customers’ contact details being disclosed on the internet, and have found none thus far. We also performed an internal penetration test.”
The CEO added that Ledger is “currently in the process of filing a complaint before the French public prosecutor” and says the firm will “support law enforcement investigations.”
“We are extremely regretful for this incident. We take privacy very seriously, and we sincerely apologize for the inconvenience this matter may cause you.”
The company also added that it took the decision to delay the announcement as it “wanted to have all [the] data necessary and needed to perform legal compliance first.”