Ledger, the popular hardware wallet, said today that data belonging to over 1 million customers was leaked on a hacker forum.
Ledger users endure data leak
Hardware wallet Ledger said today that details of a database compromised in June were dumped on RaidForums, an infamous online hacking forum, over the weekend. The information has been made available for free, meaning anyone can access the data.
Ledger first announced the leak back in July. It said at the time that only 9,500 particulars were leaked and that the firm was working with French authorities to prevent further vulnerabilities.
But the efforts have fallen short. Today’s data dump comprises over 1 million email addresses (attached to individual wallets that can be checked over a block explorer), as well as personal information of the victims (such as home addresses and mobile phone numbers).
We executed penetration tests and forensic analysis with external security firms to test these and find any additional vulnerabilities on our e-commerce systems.
— Ledger (@Ledger) December 20, 2020
It said in a statement on Twitter, “It is a massive understatement to say we sincerely regret this situation.” Ledger added in further tweets that French authorities were still working on the case to prevent proliferation, claiming that the efforts took down 170 phishing sites where the database details were first put up.
Ledger said it “would learn from this instance” to make the service even more secure for users. However, the broader crypto community was not convinced by the tweetstorm. Much of the consensus was around how to avoid Ledger products entirely in the future, apart from immediate actions to protect one’s identity.
Ruben Merre, the CEO and founder of the NGRAVE ZERO crypto wallet, remarked on the incident to CryptoSlate:
“First and foremost, we hope this data leak is something that everyone in the industry will learn from. As for us, our message has always been that security needs to be an end-to-end story. A hardware wallet is great, but you also need a strong backup solution, compliance with data privacy rules and in the case of a security company, well-thought-out customer data protection (and deletion). End-to-End. Your peace of mind will always be our mission.”
What next for crypto users?
One of the main questions doing the rounds was why did Ledger store all that data in the first place? As a hardware wallet, the firm did need personal information to help deliver the wallet, but storing customer information was, in the views of some, a massive breach of trust.
Friends don't let friends buy or use a @Ledger. ?♂️https://t.co/AgblCjSg2w
— WhalePanda (@WhalePanda) December 21, 2020
Popular crypto influencer “notsofast” said Ledger users whose data was compromised in the leak should get a new contact number and email id at the earliest to prevent any possible phishing.
They added—arguably for users holding large amounts of crypto—that multisig keys and recovery codes should now be kept at a different address than the residence, as the latter was now compromised.
3. Your home is no longer a safe place to store hard copies of seed phrases, or hardware wallets. You may now only store 1-of-n multisig here safely.
Find a new place that is safe, secure, friendly, offline, and accessible to you on the occasions you require.
— notsofast (@notsofast) December 20, 2020
Meanwhile, some users on Ledger’s tweet thread said they would take legal action against the breach and the alleged storage of personal information without permissionless.
How the hell is a company associated with the blockchain space unable to keep our data secure? The entire point of the industry you serve is privacy and and security and you failed at both.
Class action lawsuit inbound….
— Janus (@PinnaclePrimate) December 20, 2020
Ledger did not respond to a mail by CryptoSlate at press time.