Popular cryptocurrency hardware wallet Ledger customer information was made public, indexed, and mirrored, stemming from a breach back in summer of this year. The company, flush with funding and operating for more than half a decade in the ecosystem, prides itself on being among the most secure options for crypto asset holders. Emails, home addresses, and phone numbers floating in cyberspace as a result of the dump are a first challenge for a high profile executive hired by the company this month.
Sunday, 20 December 2020, poster Burgulema111 of Raidforums, announced, “LEDGER.com Full 1KK+ Emails & 272k Full Info Orders. In July 2020, Ledger suffered a data breach after a website vulnerability allowed threat actors to access customers’ contact details,” Burgulema111 continued. “The first confirmed price I saw for this database was 5 BTC. Someone bought it from another guy on one of the forums. Today you can get it for free.”
Raidforum linked two .txt files, containing, “1) 1.075.382 emails subscribed to newsletter,” Poster Burgulema111 typed. “2) 272.853 orders with full info details (Email, Addresses, Phone Number).”
Pseudo-anonymous crypto Twitter personality Jimmy McShill was among the first sounding alarm the same day that Ledger breach info had been made very public. “A hacker is dumping the full @Ledger database dump for free on raidforums! Emails, phone numbers and addresses!
Get ready for a huge spam and phishing wave!”
⚠️⚠️ Uhh shiit! A hacker is dumping the full @Ledger database dump for free on raidforums! Emails, phone numbers and addresses!
Get ready for a huge spam and phishing wave!#bitcoin #cryptcurrencies #phishing #security pic.twitter.com/XAQQHZ2wkW— Jimmy McShill (@JimmyMcShill) December 20, 2020
Mirrored, Indexed
Similarly, breach mirrors began appearing on the likes of Pastebin. Apparently “many people who ordered” from the Ledger have been “receiving SMS nearly every week trying to lead you onto a faked ledger website and phish your seed,” McShill insisted further, suggesting the attack has been going on for months.
Back of the envelope calculations imply over a million email addresses, along with more than a quarter million physical addresses and phone numbers, have been compromised. Troy Hunt, Microsoft Regional Director, and creator and maintainer of @haveibeenpwned, confirmed, “Ledger had over 1M email addresses breached in June, sold, then dumped publicly today. Data also included names, physical addresses and phone numbers.” Nearly 70% were already in the haveibeenpwned database.
New breach: Ledger had over 1M email addresses breached in June, sold, then dumped publicly today. Data also included names, physical addresses and phone numbers. 69% were already in @haveibeenpwned. Read more: https://t.co/F44bBWzioQ
— Have I Been Pwned (@haveibeenpwned) December 20, 2020
Search engine and data archive service Intelligence X quickly indexed the leak.
Massive Understatement
In mid-July of this year, Ledger indeed experienced an “e-commerce and marketing data breach,” but assured its customer base then all was well and under control.
By mid-afternoon of 20 December 2020, however, Ledger connected the current dump back to that breach, apologizing. “It is a massive understatement to say we sincerely regret this situation. We take privacy extremely seriously. Avoiding situations like this are a top priority for our entire company, and we have learned valuable lessons from this situation which will make Ledger even more secure.”
It is a massive understatement to say we sincerely regret this situation. We take privacy extremely seriously. Avoiding situations like this are a top priority for our entire company, and we have learned valuable lessons from this situation which will make Ledger even more secure
— Ledger (@Ledger) December 20, 2020
Burgulema111 of Raidforums was having no excuses. “Ledger you should be ashamed of the way you do business and handle user privacy. Those motherfuckers were telling people with a target on their back in support requests that they were not affected in this data breach yet they actually were. So not only they lied about the amount of leaked information, they were still lying about it even after. Reminder: bitcoin meant to increase privacy, but seems like one of the largest and ‘secure’ bitcoin players don’t give a single fuck about the way they store data.”
A Craft.co profile of Ledger SAS, corporate home of the popular Ledger brand lines of cryptocurrency hardware wallets, so called cold storage, blurbed how its device “prevents hackers or malware to access customer’s sensitive data and steal customer’s bitcoins.”
Welcome Mr. Rodgers to the World of Cryptocurrency
Founded in 2014, the France-based company has grown internationally while supporting hundreds of coins and tokens, from Bitcoin (BTC) and Ethereum (ETH) to exotics such as Bionic (BNC) and Akroma (AKA). Ledger boasts 200 employees, offices in France, New York, and Hong Kong, and has raised some $83 million in various rounds since its founding.
The breach and recent customer data dump is the first challenge for newly acquired Ledger executive Ian Rodgers, now former Chief Digital Officer at luxury brand LVMH Moët Hennessy Louis Vuitton (LVMH). “His mission as Ledger’s chief experience officer will be to expand its consumer business and help bring cryptocurrency ownership to the masses,” The Financial Times (FT) explained earlier this month. “When I look at cryptocurrency, privacy and security, I have a similar feeling I did about music in the early 2000s at the beginning of the streaming era,” Rodgers told the FT during an interview.
As of publication, Rodgers is not listed on Ledger.com in its company deck.
Never Looked Better
In response to the breach and subsequent dump, the company has set up a anti-phising campaign page.
Developer Paul Sztorc lamented how “many famous crypto people’s HOME ADDRESSES will now be revealed,” proving “once again how right I was to warn you all about buying hardware wallets.” His “simple counterstrategy of buying a cheap laptop with cash (+ Electrum) has never looked better.”
Courtesy of the Ledger Leak, many famous crypto people's HOME ADDRESSES will now be revealed
Thus proving once again how right I was to warn you all about buying hardware wallets
My simple counterstrategy of buying a cheap laptop with cash (+ Electrum) has never looked better https://t.co/Mnys9KlJH7
— Paul Sztorc (Bip300 = BTC Maximalism) (@Truthcoin) December 20, 2020
Edward Kelso (@cryptokelso) is a financial technology journalist, CEO of CoinFugazi.com, and correspondent for NaomiBrockwell.com