Topic: Ledger 1 Mln Users Data Under Attack - page 3. (Read 718 times)
I have noticed this story from the email notification yesterday. It was quite surprising to me from such as a reputed crypto wallet company. Because crypto users use the Ledger wallet to keep their fund safe and protect their privacy as well. So if they can't keep safe user's privacy then it's really regrettable for us. But the good thing is they disclosed the issue in front of their users instead of hiding or misled. So the user could determine what they should do like change credential. But not expected it from Ledger.
The safest option is by far a paper wallet, if you have a clean OS that is never connected to the Internet and a dumb printer then you could print your wallets with no issue, the problem is that they are very impractical for daily use but you could always have a wallet with some funds for your daily expenses.
Hardware wallets were supposed to be the best of both worlds, a device that was completely secure and that you could use whenever you want, but now that we have found out that ledger does keep the information of their clients for who knows how long that certainly weakens the security aspect of it and you are probably better off with a paper wallet until ledger and other hardware wallet providers change their policies regarding their data retention practices.
Hardware wallets were supposed to be the best of both worlds, a device that was completely secure and that you could use whenever you want, but now that we have found out that ledger does keep the information of their clients for who knows how long that certainly weakens the security aspect of it and you are probably better off with a paper wallet until ledger and other hardware wallet providers change their policies regarding their data retention practices.
I think the phrase "paper wallet" is very misleading, because paper is just a method of storing the private key. You can't use paper to send Bitcoin or create a new address. You'll always end up using a software or hardware wallet to use the coins stored on paper. So, there's really only 2 kinds of wallets - software and hardware. "Paper wallets" can be created with both kinds.
"Paper wallets" also have some downsides, especially for newbies - a lot of them are offered via websites, and websites can't be audited as well as open source software from a repository. This is why one of the sites that offers paper wallet creation is malicious and steals users funds, but it was hard to prove.
People have been saying "just buy a hardware wallet" for a long time, but it has always been less than a perfect solution, because some centralization and trust has always been involved, and now it was abused. Now potential burglars and kidnappers have a list of people who own some bitcoins, and something like this will never happen with a software wallet, because it doesn't ask you for your personal information during installation.
IMO and old PC with live OS like Tails is the best cold storage you can get.
The safest option is by far a paper wallet, if you have a clean OS that is never connected to the Internet and a dumb printer then you could print your wallets with no issue, the problem is that they are very impractical for daily use but you could always have a wallet with some funds for your daily expenses.IMO and old PC with live OS like Tails is the best cold storage you can get.
Hardware wallets were supposed to be the best of both worlds, a device that was completely secure and that you could use whenever you want, but now that we have found out that ledger does keep the information of their clients for who knows how long that certainly weakens the security aspect of it and you are probably better off with a paper wallet until ledger and other hardware wallet providers change their policies regarding their data retention practices.
Even though I prefer ledger hardware, things like this do make me want to choose trezor in the future. This kind of thing was totally unacceptable.
Let's hope that the person who took the information was actually the person who reported it and it was them testing the vulnerability before hand and they never realized that.
Let's hope that the person who took the information was actually the person who reported it and it was them testing the vulnerability before hand and they never realized that.
There is a saying that it is not nice to look forward to someone else's misfortune, because sooner or later the same thing (or something worse) can happen to you. But those who follow the relationship between the two companies know that business competition has long since become more than that. In any case, a good marketing move.
I believe we can also have a different, a more positive perspective from the hack. There are 1 MILLION BITCOIN USERS/HODLERs with Ledger wallets. MORE with other wallets. That's bullish. 
We've known this before, according to the Ledger website 1 500 000 Ledger wallets already sold, but given the several different devices the company has produced, some have bought more than one - so the number of unique users is probably less than 1 million (regardless of the 1 million email addresses that were stolen).
That's specifically what the leaked information would be used for. Given the sensitive information being leaked, attackers could potentially use the information to craft a more personalised phishing emails for the victims. Even if it isn't, the sensitive information could also be used in SE attacks against companies.
Phishing is phishing, whether targeted or spontaneous.
You can fall for phishing only through your own fault, no matter how clever it is. We have all the tools to check any link or any information that comes to your email.
Fortunately, the data breach is not that severe, only impacting their merchant information. At the same time, I don't think its necessary for Ledger (or any other hardware wallet manufacturer) to keep sensitive information of their customers for long periods of times. I would have expected information to be scrubbed regularly.
Logically yes, but in practice we don't know what Ledger does with our data. Some of the employees may sell the database, or the company's shadow policy itself may correspond to this.
We cannot know this, so it is useful to assume such things. Too many companies sell their customer data to others.
...At the same time, I don't think its necessary for Ledger (or any other hardware wallet manufacturer) to keep sensitive information of their customers for long periods of times. I would have expected information to be scrubbed regularly.
I can think of a couple of reasons, the company's accounting since it is supposed to record everything (payment details,date, and so on). And in France companies must conserve such information for a 10-year period.
But also simply to be able to provide assistance to the customer. I mean for example if you have to be reimbursed for your wallet (for x reason), they have to keep a trace of your order (including your name, method of payment or other).
Otherwise how else could they be sure that you actually bought it on their store and not on Amazon for exemple.
Ledger Hardware Crypto Wallet Team Disclosed Data Breach, 1 Mln Users' Data Under Attack
https://cryptocomes.com/news/ledger-hardware-crypto-wallet-team-disclosed-data-breach-1-mln-users-data-under-attack
Good that ledgers action is faster than what their clients need.https://cryptocomes.com/news/ledger-hardware-crypto-wallet-team-disclosed-data-breach-1-mln-users-data-under-attack
imagine the safest wallet in the world is under attack?this is much stupid action from this hackers.
I believe we can also have a different, a more positive perspective from the hack. There are 1 MILLION BITCOIN USERS/HODLERs with Ledger wallets. MORE with other wallets. That's bullish.
and this is only proving that everything in crypto is a target.but i'm sure this will never happen again and with 1 minute breach they can do anything under the sun.if your email is leaked, expected to see alot of spam investment offer on your inbox 
In times like these, I wouldn't mind multiplying my Bitcoin with the likes of Elon Musk
Ledger Hardware Crypto Wallet Team Disclosed Data Breach, 1 Mln Users' Data Under Attack
A third-party attacker accessed the segments of e-commerce and promotional databases holding the email addresses of customers.
Additionally, 9,500 users were exposed to a leak of order details: name, street address, phone number and the details of what they ordered.
Now a lot of customers will be getting spam in their inboxes about new updates of the wallet along with the links to download those updates. I have seen this a lot of times when the spammers use these data breaches to send the spam mails and the ignorant users fall in these traps pretty easily.A third-party attacker accessed the segments of e-commerce and promotional databases holding the email addresses of customers.
Additionally, 9,500 users were exposed to a leak of order details: name, street address, phone number and the details of what they ordered.
Should we use temp email addresses and temp credentials for that? How to recieve packages anonymously? What is the best way to do that? Should we use properly mixed coins for buying hardware wallets? Please note, the only goal of all of that is to preserve our privacy, safety, financial sovereignty, it should not be used to facilitate any illegal activities.
Temporary mails aren't necessary, you can create a separate email for this purpose only. You can have those packages dropshipped and then that service can send you the package after receiving it. I prefer to send my bitcoins to an exchange which doesn't require any KYC and then let them stay there for a week or two before ordering anything and then send those coins to a new wallet while using proxies or a VPN and then send the bitcoins for ordering what I was about to order. By doing this I satisfy my paranoid nature of leaking any information online.
I am requesting a complete guide on how to buy hardware wallets in most possible secure way. For example, it could include the information regarding how to properly register on website, recieve wallets, how to pay for them without exposing your real identity to undesirable third parties. Should we use temp email addresses and temp credentials for that? How to recieve packages anonymously? What is the best way to do that? Should we use properly mixed coins for buying hardware wallets? Please note, the only goal of all of that is to preserve our privacy, safety, financial sovereignty, it should not be used to facilitate any illegal activities.
They specified this on Twitter:
I guess you can breathe easy if you haven't received an email specifying that you were part of the smaller breach.
Does anyone have some information on what the more detailed email contains for one of the 9,500 that have been affected? I assume it is something along the lines of your personal data was one of the few taken, blah blah blah, investigators are on the case, etc etc.
There is no information on whether the 9.500 customers that have had their personal data breached, have or have not been explicitly notified of this fact.
They specified this on Twitter:
Quote
If you are part of the approximately 9500 customers whose detailed personal information - name surname, postal address or phone number - were accessed by the unauthorized third party you have been notified 30 minutes ago.
I guess you can breathe easy if you haven't received an email specifying that you were part of the smaller breach.
I believe we can also have a different, a more positive perspective from the hack. There are 1 MILLION BITCOIN USERS/HODLERs with Ledger wallets. MORE with other wallets. That's bullish.
Do not worry !!! Your BitCoins are absolutely safe, nothing to see here Yes, they know EXACTLY what the hackers got, and are being TOTALLY HONEST about it 
Everyone can sleep well and not worry, they will take good care of you !!!
Hard Facts
Yes, they know EXACTLY what the hackers got, and are being TOTALLY HONEST about it Everyone can sleep well and not worry, they will take good care of you !!!
Hard Facts
Wrong, so so wrong.
When information like your email address and also your physical address are compromised, you are vulnerable to several kinds of attacks. Let me give you some examples:
1. Phishing attacks : Now that these people have these email addresses, they know who owns Ledger hardware wallets and they can customize specific attacks just for that individual. It will look very legit, because only the company would have known your personal data.
2. You are also vulnerable to physical attacks, because these people know your physical address and they might come to visit you, if they live in the same country.
This is much bigger than what Ledger is making it out to be, luckily for me I never store any coins at my physical address.. so they will not find anything at my home address.
if your email is leaked, expected to see alot of spam investment offer on your inbox
In times like these, I wouldn't mind multiplying my Bitcoin with the likes of Elon Musk
Does anyone have some information on what the more detailed email contains for one of the 9,500 that have been affected? I assume it is something along the lines of your personal data was one of the few taken, blah blah blah, investigators are on the case, etc etc.
I found this on Reddit:
Quote
Security Notice - Your detailed personal information has been exposed
Dear client,
On the 14th of July 2020, a computer researcher that participated in our bug bounty program notified us of a potential data breach on the Ledger website. We immediately fixed the breach after receiving the researcher’s report and undertook an internal and external investigation of the situation. While conducting the investigation, we discovered an unauthorized third party had gained access to customer information.
While the majority of the data breach concerned email addresses, we regret to inform you that you are part of the approximately 9500 customers whose detailed personal information were accessed by the unauthorized third party. Specifically, your name and surname were exposed.
This data breach is not linked to our hardware wallets’ security and your cryptocurrency funds are safe. Due to our detailed security measures, attackers cannot steal your sensitive information like your recovery phrase and private keys. You are the only one in control and able to access this information.
We deeply apologize for this security breach and are working with law enforcement to undergo an investigation
Pascal Gauthier, Ledger CEO
Dear client,
On the 14th of July 2020, a computer researcher that participated in our bug bounty program notified us of a potential data breach on the Ledger website. We immediately fixed the breach after receiving the researcher’s report and undertook an internal and external investigation of the situation. While conducting the investigation, we discovered an unauthorized third party had gained access to customer information.
While the majority of the data breach concerned email addresses, we regret to inform you that you are part of the approximately 9500 customers whose detailed personal information were accessed by the unauthorized third party. Specifically, your name and surname were exposed.
This data breach is not linked to our hardware wallets’ security and your cryptocurrency funds are safe. Due to our detailed security measures, attackers cannot steal your sensitive information like your recovery phrase and private keys. You are the only one in control and able to access this information.
We deeply apologize for this security breach and are working with law enforcement to undergo an investigation
Pascal Gauthier, Ledger CEO
The person who received this email only had their name leaked. I assume others will have received emails stating that their phone numbers or home addresses were compromised too.
Does anyone have some information on what the more detailed email contains for one of the 9,500 that have been affected? I assume it is something along the lines of your personal data was one of the few taken, blah blah blah, investigators are on the case, etc etc.
The announcement is nice and all but hmm, wouldn't some people take advantage of this and send spam mail? I mean, IF just if they were able to access a duplicate copy of the email and send them towards the affected, they could potentially dupe them into clicking their scam site or something. That is, providing they don't really read the email carefully and notice that the emailw as a fake ledger email. Though chances are small, there's still a chance.
That's specifically what the leaked information would be used for. Given the sensitive information being leaked, attackers could potentially use the information to craft a more personalised phishing emails for the victims. Even if it isn't, the sensitive information could also be used in SE attacks against companies. Fortunately, the data breach is not that severe, only impacting their merchant information. At the same time, I don't think its necessary for Ledger (or any other hardware wallet manufacturer) to keep sensitive information of their customers for long periods of times. I would have expected information to be scrubbed regularly.
I have received an email with regards to that, so I'm quite thankful, in a way, to know that they are handling it carefully and letting people know the current situation. Because of the fact that many people need to give an address and name to get your device, it's inevitable, and it is all because of the security and bugs in the system. At least they are doing bug bounty programs for improvement and found that bug.
You can't get the ease of use when having a hardware wallet compared to creating an air-gapped laptop and opening it continuously just to transact.
You can't get the ease of use when having a hardware wallet compared to creating an air-gapped laptop and opening it continuously just to transact.
If you haven't received another mail until 5 pm CET today, at least you don't belong to the 9500 customers whose personal informations have been leaked.
This was announced by the official Ledger Twitter account today.
source
There is now also a FAQ section on the website: https://support.ledger.com/hc/en-us/articles/360015559320?s=09
The announcement is nice and all but hmm, wouldn't some people take advantage of this and send spam mail? I mean, IF just if they were able to access a duplicate copy of the email and send them towards the affected, they could potentially dupe them into clicking their scam site or something. That is, providing they don't really read the email carefully and notice that the emailw as a fake ledger email. Though chances are small, there's still a chance. This was announced by the official Ledger Twitter account today.
source
There is now also a FAQ section on the website: https://support.ledger.com/hc/en-us/articles/360015559320?s=09
~
Such information would rather be used on scamming people imo. Looking up their identity, creating fake accounts, setting up the scheme and etc. would be the action hackers would've done instead of robbing houses. Hackers are hackers for a reason, they fight on the internet, not in the real world. And besides, I don't think I've heard of robbing that required so many details. Just the fact that you needed to ask the person his ledger key is enough of a reason to doubt whether you should even do it since it's a huge risk, compared to a normal robbery where you just take as much money or jewels in the house as possible. 
Is it official news on data breach and I don't know the severity of the breach. It need more time to confirm how serious it is but what I see from the news. 1 mil. users is the number is reported but we don't know the real one, how big it is.
The only one thing I see and learn from it is "Not your keys, not your bitcoin".
What to do next, from now if you care about your funds and such same breach in the future (not only on Ledger but also on any other exchanges or platforms)?
- Avoid KYC as much as possible: Why KYC is extremely dangerous – and useless
- Try to use good non-custodial wallets as Electrum because you will have full control of your private keys, wallets and funds. Be your own bank this way.
The only one thing I see and learn from it is "Not your keys, not your bitcoin".
What to do next, from now if you care about your funds and such same breach in the future (not only on Ledger but also on any other exchanges or platforms)?
- Avoid KYC as much as possible: Why KYC is extremely dangerous – and useless
- Try to use good non-custodial wallets as Electrum because you will have full control of your private keys, wallets and funds. Be your own bank this way.
Jump to: