In brief
- Ledger said it was hacked in June when one million emails were compromised.
- No user funds or financial information was accessed.
- Investigations are ongoing with French cybersecurity authorities.
Bitcoin hardware wallet maker Ledger revealed today that its e-commerce database was hacked last month, leaking 1 million emails and some personal documents. No user funds were affected by the breach.
Ledger said the attack targeted only its marketing and e-commerce database, meaning the hackers were unable to access users' recovery phrases or private keys. All financial information—such as payment information, passwords, and funds—was similarly unaffected. The breach was unrelated to Ledger's hardware wallets or its Ledger Live security product, the company added.
"Solely contact and order details were involved. This is mostly the email address of approximately [1 million] of our customers. Further to the investigation, we have also been able to establish that a subset of them was also exposed: first and last name, postal address phone number, and product(s) ordered,” said Ledger in its announcement.
The firm specified that more detailed personal information was leaked in 9,500 cases, including phone numbers, postal addresses and what product they purchased. The announcement added that, "More detailed personal information could have been exposed."
A researcher participating in Ledger’s bug bounty program flagged the issue initially on July 14. The firm patched the problem at the time, but later discovered the breach had occurred weeks earlier on June 25. The cause: A third-party tool that accessed the marketing and e-commerce database using a (now-disabled) API key.
Hacker claims to have stolen data from Ledger, Trezor and KeepKey
A hacker is reportedly selling stolen data from three popular hardware wallets—prompting an investigation by at least two of the companies allegedly involved. The hacker claims to have stolen data from Trezor, Ledger and Shapeshift’s wallet, KeepKey. The allegations were republished on Twitter today by cybersecurity firm Under The Breach. The Ethereum forum hacker is now selling the databases of @Trezor and @Ledger. Both of which obtained from a @Shopify exploit.(suggesting there are many mor...
In a note to clients, Ledger CEO Pascal Gauthier said the firm was "extremely regretful" about the incident. He further cautioned users to be wary of phishing attempts: “We take privacy very seriously, we discovered this vulnerability thanks to our own bug bounty program, we fixed it immediately.”
“But regardless of all that we did to avoid and fix this situation, we sincerely apologize for the inconvenience that this matter may cause you,” added Gauthier.
Ledger Nano X Review (2021): An Expensive Step In The Right Direction
Design and build What's in the box? Ease of use Getting Started Features Supported crypto assets Security Verdict Since cryptocurrencies were invented over a decade ago, there have been many attempts to build more advanced, secure and user-friendly walletsto store them. As of 2021, the current gold standard for security is known as a hardware wallet—a physical device that stores your cryptocurrency private keys in a secure offline environment. One of the most prominent companies involved i...
Meanwhile, Ledger said France’s Data Protection Authority, the CNIL, was notified about the breach on July 16. The firm is also working with the Orange Cyberdefense (OCD) to find any evidence of the stolen data being sold online.
All affected users were notified about the breach today and the investigation is ongoing.
Update: This article has been updated with more details from Ledger.
Before you leave, follow us on Twitter to be the first to major stories when they break.
