It has been a bad year for Ledger, even worse for its users. In the latest development, the hacker of Ledger’s data breach on its e-commerce and marketing database has reportedly dumped the stolen contents of the hardware wallet provider customer database on the hacker site called ‘Raidforums.
According to Alon Gol the network security firm Hudson Rock’s Co-founder, the leaked database contains user information such as email IDs, physical addresses, phone numbers, and more information. Over a million customer emails stolen from the hardware wallet manufacturer were made publicly available on a hacker site today.
Ledger confirmed that payment information, credentials [passwords], or crypto funds were not impacted and the data breach has no link nor impact on the platform’s hardware wallets and the Ledger Live application.
While this security seems like just another addition to the long list of cybercrimes, not everyone is of the opinion that Ledger can be forgiven. The pseudonymous crypto researcher, Hasu, for one posted criticized Ledger in the following tweet:
“You simply can’t sell hardware wallets and store the personal information of your customers on an online server. Cut off business with them, only way companies in this space are gonna learn to take our physical security seriously.”
How Can The Ledger Leak Victims Protect Themselves?
While the information leaked in this breach would not directly compromise a users’ Ledger device and crypto funds, it could however be used [or already being used] in social engineering attacks. This was noted by a well-known cryptographer, Nik Bougalis, who went on to state that the attackers are likely to use the information to target users’ and hence they might very well get emails, phone calls, snail mail, and even packages.
According to the Bougalis, most of these will be “ham-fisted” attempts, which will stand out, while others will be tailored and carefully designed to dupe the victims. He also urged the users’ to approach every email critically.
Furthermore, the software engineer also warned,
“If the phone number you used for your order is used as a 2nd factor anywhere, change it immediately. If possible, avoid using SMS/phone as a 2nd factor altogether. Get a YubiKey or something similar and set up something like Google Authenticator.”
In a series of tweets, Bougalis also asked the victims to use a password manager for everything and enable 2FA wherever they can.
A Quick Synopsis of The Security Breach
This hack seems to originate back in April 2020 to the 28th of June, 2020, when an attacker got access to a portion of Ledger’s e-commerce and marketing database through a third party’s API key that was misconfigured on its website. This apparently enabled unauthorized access to Ledger’s customers’ contact details and order data. The platform claimed to have fixed the data breach within the same day it was detected and the API key was deactivated.
According to the Twitter Handle, ‘Have I Been Pwned’, which was created by Microsoft Regional Director Troy Hunt, revealed that since the time of the original hack, 69% of the addresses in the dumped database as having been compromised.