Never reveal your private keys! – Last July, the hardware wallets manufacturer Ledger revealed that its database had leaked personal data of its customers. Since then, these same customers have had to endure various phishing attempts, be it the „classic“ ones by e-mail, or even by SMS for those who had communicated their phone number to Ledger. And unfortunately, things are unlikely to get any better.
More than a million e-mails revealed, nearly 300,000 customers put at risk
When we thought things couldn’t get any worse… As our colleagues at Bitcoin.fr report, a hacker has made Ledger customers‘ private data available online – for everyone to see.
According to the hacker’s message below, published publicly on RaidForums :
„Today, I made Ledger.com’s database available for you to download for free (…) The first confirmed [purchase] price I saw for this database was 5 BTC. (…) Today you can get it for free“.
Screenshot of the pirate’s message, source: Bitcoin.fr
According to the pirate, a total of 1,075,382 e-mail addresses and 272,853 telephone numbers and physical addresses were disclosed. According to Bitcoin.fr, 16,000 of Ledger’s French customers would be concerned. According to Ledger, which we contacted, the data used could concern the last three years.
In any case, it is much more than the figure of 9,500 leaked private contact details that Ledger had initially announced when the hack was revealed at the end of July 2020. These clients are however the most at risk since, in the worst case, physical threats or burglaries could occur given that their postal address has been revealed.
According to Benoît Pellevoizin, Ledger’s VP Marketing, the hackers would have exploited a „service provider error“ in charge of their e-commerce module: the latter would have coded the API keys allowing to manage these very sensitive files, hard and „in clear“ in the module’s code.
How do you know if you are a victim of Ledger leaks?
Very little consolation: because of the publication of these data accessible to all, you can check here whether yours have been stolen or not. The ‚Have I Been Pwned‘ teams also try to notify by e-mail the clients whose contact details have been revealed.
Yours truly has checked on his behalf and, fortunately, only my email address has leaked out (thank God I didn’t order and give out the rest of my contact details). By the way, for such sensitive items, and everything to do with cryptomoney in general: prefer delivery points or professional addresses to your personal postal addresses, when possible. I’m now even for a few more spams, but it could have been worse.
The teams of the manufacturer of the Nano S and X were contacted by us, and tried to calm down the game – even if the loophole is what it is:
„(…) We tried to be transparent. (…) In June , a researcher warned us that our e-commerce database was accessible. (…) Our Dungeon Ledger service and Orange Cyberdefense estimated the damage at 1 million e-mails and 9,532 personal data. (…) We can now confirm that the breach is more extensive. “
Benoît Pellevoizin, VP Marketing of Ledger
However, the figure of more than 200,000 pieces of detailed information, which leaked yesterday, was finally confirmed by this Ledger spokesman.
He cannot be reminded enough: never divulge the 24 passwords of your private key passphrase, whether the request comes from an e-mail, a text message or a phone call. This hack of their database was a real shock for the Ledger teams. This leak is all the more unfortunate because their hardware wallets have remained unbreakable until now.