- Cybersecurity firm Under The Breach today published a hacker’s claims that hardware wallet users’ data was for sale.
- The hacker alleges that names, addresses, phone numbers and emails of Trezor, Ledger and ShapeShift’s Keepkey are for sale.
- Trezor and Ledger have said they are investigating the breach.
A hacker is reportedly selling stolen data from three popular hardware wallets—prompting an investigation by at least two of the companies allegedly involved.
The hacker claims to have stolen data from Trezor, Ledger and Shapeshift’s wallet, KeepKey. The allegations were republished on Twitter today by cybersecurity firm Under The Breach.
Both of which obtained from a @Shopify exploit.
(suggesting there are many more underground leaks).
— Under the Breach (@underthebreach) May 24, 2020
Under The Breach added that the data was stolen due to an exploit of e-commerce website Shopify. It posted screenshots in which the hacker advertised that the names, addresses, phone numbers and emails of the hardware wallet users were for sale. Passwords were not included.
There are rumors spreading that our eshop database has been hacked thru a Shopify exploit. Our eshop does not use Shopify, but we are nonetheless investigating the situation. We've been also routinely purging old customer records from the database to minimize the possible impact.
— Trezor (@Trezor) May 24, 2020
Sounds grim. But Candice So, a communications manager at Shopify, told Decrypt: "We investigated these claims and found no evidence to substantiate them, and no evidence of any compromise of Shopify’s systems."
The hacker, who was responsible for hacking the Ethereum forum back in 2016, maintains the veracity of their claims. “Only big money” would be accepted for the data, the hacker said, according to another screenshot published by Under The Breach.
Screenshots published by Under The Breach show that the hacker also claims to have the full SQL database for investment platform BnkToTheFuture. Under The Breach said it contacted BnkToTheFuture but “couldn't get them to take it seriously.”
But two of the other companies did take the allegations seriously.
Trezor said on Twitter that it didn’t use Shopify—making a Shopify-related hack impossible. “We are nonetheless investigating the situation,” the company said. “We've been also routinely purging old customer records from the database to minimize the possible impact.”
Ledger also put out a statement saying it is “taking the matter seriously.”
Rumors pretend our Shopify database has been hacked through a Shopify exploit. Our ecommerce team is currently checking these allegations by analyzing the so-called hacked db, and so far it doesn’t match our real db. We continue investigations and are taking the matter seriously.
— Ledger (@Ledger) May 24, 2020
ShapeShift, the company that owns KeepKey, had not commented on the allegations by the time this article was published. ShapeShift did not respond to questions from Decrypt by press time but we will update this story with responses.
Editor's note: This article was updated with comments from Candice So, communications manager at Shopify.