Hackers have released over 270,000 email addresses associated with customers of the popular hardware-based cryptocurrency wallet Ledger. The leak, which allegedly stemmed from a company hack last July, appears to contain over 270,000 customer emails and other identifying information.
The hack does not directly affect the security of the hardware wallets and only involves customer email addresses, profiles, and postal addresses, according to the company.
“It is a massive understatement to say we sincerely regret this situation. We take privacy extremely seriously,” Ledger tweeted. “Avoiding situations like this are a top priority for our entire company, and we have learned valuable lessons from this situation.”
“We’re still investigating this ongoing issue, but the dumped content may be Ledger’s e-commerce database that was exposed during the data breach in June 2020. This database may be used by scammers for phishing attacks through emailing and text message campaigns,” said a company spokesperson. “Our Customer Support team has been working to notify our users via Twitter and responding to questions while also reporting all tweets and Reddit posts that contain a link to the database.”
Looks like fallout from the Ledger customer info leak; I got these emails to an address I used to buy Ledger devices.
— Jameson Lopp (@lopp) November 16, 2020
The leaked data appeared on RaidForums.com, a security message board, and was allegedly posted by a user who had seen the data for sale on other hacker boards for a considerable amount of bitcoin. Independent verification of one of the leaks showed about 191,000 unique email addresses, although other alleged caches could display different data.
“The data was initially sold before being dumped publicly on RaidForums which includes names, physical addresses, email addresses, and phone numbers,” the poster wrote.
“Someone was tryin’ to sell me this for 20 coins, lol,” another poster wrote.
ALERT: Threat actor just dumped @Ledger‘s database which have been circling around for the past few months.
The database contains information such as Emails, Physical Addresses, Phone numbers and more information on 272,000 Ledger buyers and Emails of 1,000,000 additional users. pic.twitter.com/Sv9cQwhuNy
— Alon Gal (Under the Breach) (@UnderTheBreach) December 20, 2020
“This is important because it offers now new vector threats (including physical) to alleged owners of cryptocurrency,” said Ouriel Ohayon, CEO of crypto company ZenGo. He believes that this isn’t a problem with the blockchain itself but with the tools used to protect consumer data.
“The problem is not that of decentralization of private exchange because Ledger is already a decentralized solution,” he said. “The problem is that of database dependencies when you sell hardware or sell anything.”
Bitcoin author and educator Andreas M. Antonopoulos still thinks Ledger is culpable in this case.
“Companies are forced to retain this data and a lot of government regulations (tax, audit, etc.) make companies collect data on the government’s behalf,” he said, likening it outsourcing surveillance. He also expects private companies, especially ones like Ledger, to discard this data regularly.
“If there’s a breach like this, there’s an obligation to educate and inform,” he said. “Ledger failed that duty.”
Given extensive problems with wallet security throughout the industry, this ding reduces customer trust in products that could be protecting, given current bitcoin prices hovering at $US22,000 ($29,110), at least five-figure investments.