More than a million customer emails that were apparently stolen from hardware wallet manufacturer Ledger were made publicly available on a hacker site today. Ledger said it was still confirming the details of the incident but admitted that the data “indeed could be the contents of our e-commerce database from June, 2020.”
The leaked data, which was published on Raidforums, also includes names, physical addresses and phone numbers of Ledger customers, and appears to originate from a hack of Ledger’s e-commerce database in June.
The full leak amounts to over a million email addresses and over 270,000 physical addresses and phone numbers.
Leak is legit.
Over 1,000,000 email addresses
Over 250,000 physical addresses and phone numbershttps://t.co/hLoXv3BATk— Jameson Lopp (@lopp) December 20, 2020
According to cybersecurity site haveibeenpwned.com, it had already listed 69% of the addresses in the dumped database as having been compromised, from the time of the original hack.
New breach: Ledger had over 1M email addresses breached in June, sold, then dumped publicly today. Data also included names, physical addresses and phone numbers. 69% were already in @haveibeenpwned. Read more: https://t.co/F44bBWzioQ
— Have I Been Pwned (@haveibeenpwned) December 20, 2020
In a series of tweets, Ledger noted that it has been alerted to the database dump, and is “still confirming” whether the leaked information is genuine. “Early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020,” the company stated, adding that, “It is a massive understatement to say we sincerely regret this situation.”
What information was leaked?
The original hack targeted Ledger’s marketing and e-commerce database, meaning that only contact and order details were involved; no financial information, recovery phrases, or keys were exposed in the attack. In 9,500 cases, phone numbers, postal addresses and details of product purchases were exposed in the hack.
The attackers were able to access the e-commerce database using a (since disabled) API key.
Speaking to the Decrypt Daily podcast earlier this year, Ledger VP of Marketing Benoit Pellevoizin warned that the leaked information could be used in phishing attacks in an attempt to hoodwink Ledger customers into handing over their private keys. “Basically, with emails, they can target our clients to impersonate Ledger to ask them for their seed phrase to gain access to coins… we never ask that,” Pellevoizin said.
In a tweet today, Ledger reiterated that users should never share their 24-word recovery phrase with anyone, “even if they are pretending to be a representative of Ledger.” The company has also set up a webpage where users can report the details of phishing attacks.
MOST IMPORTANTLY: Never share the 24 words of your recovery phrase with anyone, even if they are pretending to be a representative of Ledger. Ledger will never ask you for them. Ledger will never contact you via text messages or phone call.
— Ledger (@Ledger) December 20, 2020
In a statement at the time of the original hack, Ledger said that France’s Data Protection Authority, the CNIL, was notified about the breach on July 16.