In brief

  • A hacked database of over a million Ledger customer emails has been made available on hacker site Raidforums.
  • The data was stolen during a June 2020 hack of the hardware wallet manufacturer's e-commerce database.
  • No financial information, recovery phrases, or keys were exposed in the attack.

More than a million customer emails that were apparently stolen from hardware wallet manufacturer Ledger were made publicly available on a hacker site today. Ledger said it was still confirming the details of the incident but admitted that the data “indeed could be the contents of our e-commerce database from June, 2020.”

The leaked data, which was published on Raidforums, also includes names, physical addresses and phone numbers of Ledger customers, and appears to originate from a hack of Ledger's e-commerce database in June.

The full leak amounts to over a million email addresses and over 270,000 physical addresses and phone numbers.

According to cybersecurity site haveibeenpwned.com, it had already listed 69% of the addresses in the dumped database as having been compromised, from the time of the original hack.

In a series of tweets, Ledger noted that it has been alerted to the database dump, and is "still confirming" whether the leaked information is genuine. "Early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020," the company stated, adding that, "It is a massive understatement to say we sincerely regret this situation."

What information was leaked?

The original hack targeted Ledger's marketing and e-commerce database, meaning that only contact and order details were involved; no financial information, recovery phrases, or keys were exposed in the attack. In 9,500 cases, phone numbers, postal addresses and details of product purchases were exposed in the hack.

The attackers were able to access the e-commerce database using a (since disabled) API key.

Speaking to the Decrypt Daily podcast earlier this year, Ledger VP of Marketing Benoit Pellevoizin warned that the leaked information could be used in phishing attacks in an attempt to hoodwink Ledger customers into handing over their private keys. “Basically, with emails, they can target our clients to impersonate Ledger to ask them for their seed phrase to gain access to coins… we never ask that,” Pellevoizin said.

In a tweet today, Ledger reiterated that users should never share their 24-word recovery phrase with anyone, "even if they are pretending to be a representative of Ledger." The company has also set up a webpage where users can report the details of phishing attacks.

In a statement at the time of the original hack, Ledger said that France’s Data Protection Authority, the CNIL, was notified about the breach on July 16.