In brief

  • Ledger has disclosed details of a huge data breach.
  • The breach exposed 292,000 customers.
  • Ledger is updating its privacy policy in response.

Parisian hardware wallet company Ledger has disclosed that personal details of a further 20,000 customers were exposed following a security breach of its databases, bringing the total affected to 292,000.

In a blog post today, Ledger also announced that it has updated its data privacy policies to minimize future harm and put out a bounty of 10 Bitcoin for anyone who can rumble the hacker. 

The post disclosed the full extent and timeline of the data breach, which started as early as April 2020 and affected approximately 292,000 customers. 

The breach, the company found out last month, was due to “rogue member(s)” of the support team of Shopify, the e-commerce company that handles Ledger’s sales. 

Between April and June, 2020, those rogue agents used their API access to obtain transactional records of customers, including Ledger’s.

In May, someone claimed that they have information about Ledger's customers from a leaked Shopify database. In response, Ledger said that "it is our conviction that this is merely an attempt at spoiling Ledger’s reputation and is nothing but a hoax." Kendall Clark, a spokesperson for Ledger, told Decrypt that "The two events are unrelated. Our data and security teams concluded that there was no leaked database during that time," and that Shopify confirmed this.

Ledger got wise to the data breach when a researcher emailed it on July 14, 2020. Ledger found that about one million email addresses were stolen, as well as about 10,000 records of personal information, which includes postal addresses, names and phone numbers.

But it wasn’t until December 2020 that Ledger says it understood more about the attack, which it discovered leaked information about 272,000 customers. Now, a month later, Shopify informed Ledger that details of a further 20,000 customers were leaked, bringing the total number to 292,000.

Rich Sanders, CEO of CipherBlade, a blockchain forensics firm, told Decrypt, “It's typical for companies in this space to downplay or outright deny hacks. It's plain that Ledger wasn't forthcoming initially." He added, "They gambled on downplaying and lost."

High Net Worth Individuals

Databases get leaked all the time, but particularly sensitive is the information about the addresses and contact details of people known to hold a lot of money. 

The Ledger breach "effectively 'curated' a list for fraudsters," said Sanders.

Curious about the whereabouts of an obnoxious venture capitalist who tweets about their Bitcoin fortunes? Check the data dump. 

Newly-minted decentralized finance projects that entrust just a few people to their funds in Ledger wallets? Yup, they’re in the dump. 

Customers receiving phishing emails were concerned that they would become targets for things like home invasions.

Ledger CEO Pascal Gauthier told Decrypt last month: “Even though it’s a possibility and we don’t deny it’s a possibility, it’s not the highest possibility that this will happen. The database has been out since June and no-one has [ever] reported any attack of this sort.” The breach did not affect the security of its hardware wallets.

Next Steps For Ledger

Ledger said today that it is “deeply sorry that these incidents occurred and for any pain or stress they’ve caused our customers.”

Ledger said it is working with law enforcement and blockchain forensics firms to trace the hacker and has created a bounty fund of 10 Bitcoins (roughly $350,000) “for information leading to successful arrest and prosecution.”

The company will also update its privacy policies. It aims to “completely delete” the personal data of customers and urge third-party providers to “to keep this data for as short a period of time as necessary.” Additionally, it will silo data it requires to keep for a long time. 

“These attacks have only strengthened our resolve to build and release products that keep you and your crypto safe,” it said.