Cryptocurrency hardware provider Ledger experienced a data leak that led to personal details of customers being compromised. User funds are, however, safe.
Details Of The Ledger Data Leak
In a blog post on July 29, Ledger revealed that its e-commerce and marketing database was hacked between June and July, leaking one million email IDs and other sensitive customer details.
The company noted that a researcher who participated in a bug bounty program flagged the vulnerability in Ledger’s marketing and e-commerce database on July 14. At the time, the company fixed the issue but later discovered that hackers had used a now-deactivated API key to access users’ information on June 25. The leaked data includes personal information ranging from email addresses to full names, postal addresses, and phone numbers.
“Solely contact and order details were involved. This is mostly the email address of approximately 1mln of our customers. Further to the investigation, we have also been able to establish that a subset of them was also exposed: first and last name, postal address phone number, and product(s) ordered,”
Ledger assured its customers that their crypto assets remained unaffected by the breach as no passwords or payment information was accessed by the attackers. The leak was not related to Ledger’s hardware wallets or Ledger Live security, the company emphasized.
Drastic Measures Called For
While positing that it is “extremely regretful”, Ledger has taken several steps to mitigate the situation. Well, for starters, the company has notified the customers whose information is at risk.
Secondly, the firm notified the French Data Protection Authority, the CNIL, on July 17. On July 21, Ledger teamed up with Orange Cyberdefense to analyze the depth of the data breach. They have also filed a complaint with authorities to fully investigate the matter.
Meanwhile, Ledger told its users to beware of phishing attacks while maintaining that it will never ask customers for recovery phrases. The firm is also actively monitoring evidence to determine whether the stolen database is being sold on the internet. Thankfully, no such activity has been reported so far.