- Ledger said it was hacked in June when one million emails were compromised.
- No user funds or financial information was accessed.
- Investigations are ongoing with French cybersecurity authorities.
Bitcoin hardware wallet maker Ledger revealed today that its e-commerce database was hacked last month, leaking 1 million emails and some personal documents. No user funds were affected by the breach.
Ledger said the attack targeted only its marketing and e-commerce database, meaning the hackers were unable to access users' recovery phrases or private keys. All financial information—such as payment information, passwords, and funds—was similarly unaffected. The breach was unrelated to Ledger's hardware wallets or its Ledger Live security product, the company added.
"Solely contact and order details were involved. This is mostly the email address of approximately [1 million] of our customers. Further to the investigation, we have also been able to establish that a subset of them was also exposed: first and last name, postal address phone number, and product(s) ordered,” said Ledger in its announcement.
The firm specified that more detailed personal information was leaked in 9,500 cases, including phone numbers, postal addresses and what product they purchased. The announcement added that, "More detailed personal information could have been exposed."
A researcher participating in Ledger’s bug bounty program flagged the issue initially on July 14. The firm patched the problem at the time, but later discovered the breach had occurred weeks earlier on June 25. The cause: A third-party tool that accessed the marketing and e-commerce database using a (now-disabled) API key.
In a note to clients, Ledger CEO Pascal Gauthier said the firm was "extremely regretful" about the incident. He further cautioned users to be wary of phishing attempts: “We take privacy very seriously, we discovered this vulnerability thanks to our own bug bounty program, we fixed it immediately.”
“But regardless of all that we did to avoid and fix this situation, we sincerely apologize for the inconvenience that this matter may cause you,” added Gauthier.
Meanwhile, Ledger said France’s Data Protection Authority, the CNIL, was notified about the breach on July 16. The firm is also working with the Orange Cyberdefense (OCD) to find any evidence of the stolen data being sold online.
All affected users were notified about the breach today and the investigation is ongoing.
Update: This article has been updated with more details from Ledger.
Before you leave, follow us on Twitter to be the first to major stories when they break.