Ledger’s new phrase recovery feature has users spooked
Users voice concerns that the Ledger Recover feature is another potential attack vector — storing recovery phrases and ID online.
Ledger has introduced a new feature, sparking concerns among its users.
Ledger Recover is an ID-based subscription service enabling the retrieval of the secret recovery phrase. It applies to Ledger Nano X hardware wallets and will roll out under firmware release 2.2.1.
Up to $545 million in Bitcoin (BTC) was estimated to be lost in 2022 due to lost passwords or mistakes with the recovery phrase — demonstrating a real need to address the issue.
However, Ledger users have voiced strong objections to the feature as it requires online storage of the secret recovery phrase and association with a passport or national ID card.
Ledger users say no
A Reddit post on the new Ledger Recover feature labeled it “a disaster waiting to happen.”
The OP summarized the arguments against the feature by pointing out the dangers of sharing seed phrases online — referencing Ledger’s 2020 data breach.
“Again, I’m in disbelief about this. Apart from the risks that they’re hacked again, apart from it flying in the face of never sharing your seed, and never storing it online, it opens the door to a whole new level of crypto scammers!”
Most commentators expressed a similar sentiment, with the most upvoted comment adding that the requirement to upload an ID makes the proposition even more unpalatable from a security perspective.
“Yeah, that’s gonna be a no from me, dog. Have to send a picture of your ID as well? Hard nope.”
One user said subscribing to the new feature is optional, making this a non-event. However, in response, it was mentioned that the fact Ledger Recover exists “means that your device and seed could be compromised… ID or not.”
Data breach
In July 2020, Ledger’s systems were compromised, leading to the loss of customer data, including names, phone numbers, email addresses, and in some cases, home addresses.
By December 2020, the firm announced that the information was leaked on a hacker forum called RaidForums — enabling anyone to access the information.
Following the data upload, Ledger customers reported being threatened. For example, one Redditor received a text message demanding 0.05 BTC in 48 hours or be killed. Another shared an email asking for $500 in BTC or risk a home invasion and torture.
“If not, I might show up with my friends when you least expect and we would find how to break you and get your wallet seed.”
Although the consensus was that such messages were empty threats to scare compliance, Ledger users were still enraged over the company’s data handling practices. Mindful of this, the uploading of ID for the recovery phrase feature is a big ask.
Ledger CEO Pascal Gauthier apologized to users, expressing sympathy for the menacing threats received.
“In Ledger’s name, we very deeply regret this situation. We are aware that many of you have been targeted by e-mail and SMS phishing campaigns and that it’s clearly a nuisance. I know this breach is disappointing at best and infuriating at worst.”
Cryptocurrency, as an emerging sector, presents several inefficiencies and pain points. However, as things stand, being your own bank requires you to take responsibility for your recovery phrases.