Data Breached
Ledger, a French company that makes crypto wallet hardware, fell victim to a large-scale data breach in June. However, they did not become aware of the breach until last week when they were contacted by a security researcher who was participating in their bug bounty program. The researcher informed Ledger on July 14 that there had been a potential breach on their website. Ledger responded by immediately fixing the problem and conducting an internal investigation. A week later, during the investigation, Ledger discovered that there had already been a similar breach back in June. The investigation revealed that a hacker had used an API key to breach their marketing and e-commerce database. Although the hacker’s identity remains unknown, Ledger has since re-secured the database by deactivating the API key in question.
What was Stolen
Since the Ledger database was being used to send out promotional emails and order confirmations, it mainly contained email addresses. Consequently, the breach resulted in the large-scale compromise of email addresses pertaining to some 1 million of Ledger’s customers. Furthermore, 9,500 of these customers also had personal information like first name, last name, postal address, and phone number exposed. Order details were also exposed. In a blog post published by Ledger just yesterday, to allay customer fears, the company confirms that “…no payment information, no credentials (passwords), were concerned by this data breach. It solely affected our customers’ contact details”. The post goes on to say that “This data breach has no link and no impact whatsoever with our hardware wallets nor Ledger Live security and your crypto assets, which are safe and have never been in peril.”
Ledger’s Response
Ledger has stated that they are monitoring the internet for evidence that the stolen data is being sold on the dark web. So far, the company has found no evidence of this. Ledger have also filed a complaint with the French data protection authorities. And it has partnered with a cybersecurity firm to fully investigate the situation and to assess the potential damage of the breach. To protect against such API key breaches in the future, Ledger has stated that they will be running more rigours penetration testing going forward. The company also stated that they are working towards meeting the requirements for ISO 27001 certification. This is an international framework for managing information security management systems. Benoit Pellevoizin, the VP of Marketing at Ledger, is on record as stating that this certification is “key” to protecting data from breaches like this in the future. Ledger’s breach is not the first time that crypto wallets have come under attack via company websites. Earlier in the year chrome extensions were used to target crypto wallet keys.
Ledger Warns Customers
Since email addresses were exposed, Ledger has warned its customers to be wary of phishing attempts. The company emphasized to its customers that it would never ask for their 24-word recovery phrase. Therefore, emails asking for this information should immediately be regarded as a phishing attack. Ledger also suggests that customers “visit Ledger Academy security section to educate yourself on general security principles and more precisely our article about phishing attacks.”