Topic: Ledger Security Notice - Ecommerce and Marketing data have been exposed (Read 348 times)

You could use VPN without major problem (unless you use shitty VPN with limited IP address and used by many users at once), but that's not the point.


Or at least allow user to do important things from Ledger Live offline, such as provide firmware file on their website and use it to upgrade Ledger HW offline.

Without having actually looked... I'd be very surprised if there wasn't the standard "We are not liable for any losses incurred by using our website, devices, systems etc" disclaimer buried in their Terms of Service somewhere.


Indeed... (after I actually went and looked it up) from the website Terms of Use:


And then the Ledger Live Terms of Use:


And then the Sales Terms:


Basically, they refuse to accept any liability for anything... but that's fairly standard "boilerplate" stuff for pretty much any company

Although, the "Gross negligence" part could possibly be argued, but that depends on the exact details of the flaw/breach that led to the data being leaked and whether it could be considered gross negligence I guess...

This cannot be disputed, some people unfortunately think that it is possible to have only one e-mail, which is of course a big misconception. I also have no doubt that some Ledger users will fall victim to a scam despite all the warnings, but now the only thing left is to repair the damage as much as possible.


It is wisest to re-examine everything that is served to us as the truth, and assume that it is just the opposite. Such omissions actually reveal that something is not as it is trying to present to the public - this should not have happened to a company that deals with something so security sensitive as cryptocurrencies.

---

Does anyone know the legal possibilities of those whose complete data has been stolen in case something bad happens to them? Is there a legal basis for a claim for damages, or perhaps on some other basis?

Most people use the same email for everything, and many people fall for phishing scams. If this email list is sold, then the addresses on it are going to be bombarded with a variety of official looking scam emails. Some people will undoubtedly lose their coins due to this.

They also say that they "implement appropriate physical, electronic and organizational procedures to safeguard and secure personal data", which is obviously not the case. You should work under the assumption Ledger Live is logging your IP address for your own safety.

Still the case. No reason they couldn't configure CloudFlare or run a .onion mirror, but they have never shown any interest in doing so unfortunately.

I guess we can use vpn without any issues, but that Legder Live software is buggy beta product for experimenting with shitcoins and staking.
People use Electrum, I know.

I think everyone who has ever bought something on ledger.com or is in any way subscribe to that site is get security notice - this is written at the bottom of the received e-mail. Therefore, for most there is no real danger - especially if the e-mail you used cannot be linked to your identity in any way.

---

It would be really stupid if Ledger used the same data servers that were hacked for Ledger Live users - I think it should be separate from each other. That severs (for connecting Leger Live) really record our addresses and transactions (same as Electrum servers do), but Ledger say they not log our IP address.

Earlier, the question was asked that each Ledger device might have a unique digital fingerprint that could link the owner's addresses and transactions to the data used in the purchase - but Ledger says such a thing is not possible.

There is no requirement to give a real name, address, phone number, email, or any other personal information when buying from Ledger. You can give them any credentials you like and ship it to a PO Box or drop off location and pay in anonymized bitcoin. I would suggest doing this for all sensitive purchases to protect you privacy.

As outlined by their Privacy Policy (https://shop.ledger.com/pages/privacy-policy), you can request that they remove/erase the data they hold on you. This is probably easier if you are a EU Citizen and under GDPR. You should consider doing this for any merchant or service that have no need to continue to hold your information, including any old exchange or web wallet accounts.

I suggested this after the last suspected data breach a few months ago. If you haven't done it yet, do it now. It's not a matter of if there's another data breach - it's only a matter of when. Start deleting your data from anywhere and everywhere you can.

---

According to this reddit post, here is the text of the email sent to individuals who have had more than their email addresses leaked:

I hope that whoever gets his hands on the leaked data doesn't go and bother my friend who received my Ledger wallet in a completely other country. He is a bulky one, very hard to attempt a $5 wrench attack on him. I am going to warn him just in case.

Did everyone receive the same email as copied on the OP, or anyone here that received a different one highlighting that all their details have been exposed?
 

Thanks for pointing that out, I had assumed as much, but good to know!

I'm more worried about what @ranochigo just referenced than a fake name at an old address with an irrelevant email address. My email address & details will no doubt be sold to the highest spammer, but this wouldn't be the first time, it's basically what I use it for  . Shit happens, but funds are safu. A leaky server is never a good sign though, this is the main point.


This is admittedly is a better question, why are they keeping personal data of their hardware wallet owners in the first place, it's pretty sketchy.
It's almost certainly for marketing purposes, like when everyone else does it, so the only real risk/issue is that it gets hacked.... which just happened 
Now they will be sold to some other marketer is the likelihood, like a merry go round.

Possibly affiliates data were leaked as well.
Affiliates share their bitcoin address, real name   and documents to receive payments. Most probably, those address are within a ledger nano wallet. And an address might be connect to other address in the same wallet....

@OP You seem to be one of those affected by this leaked, so you got the message.
Source ---> https://twitter.com/Ledger/status/1288452973811703810

The strange thing is why do they keep this data? You are a company that promotes privacy and sells products to protect money.
It may be used in marketing and market data analysis, but what is the need for "personal details" data storage?

The dangerous thing is that they haven't been informed until after a few days have passed, it's personal data so it's best for people to know early about it being leaked. This is the second time that they have done so, and most of those who discover them errors are people outside the company.

It says the Ledger Live isn't affected. You're right that Ledger Live does require the addresses being sent to the server and that is indeed quite worrying. I would have expected them to at the very least utilize bloom filters to try to protect their privacy. I don't have the time to review their code right now so I can't really see how the information is exchanged.

Hopefully, people are using third party software like Electrum instead of their own Ledger Live.

the hardware wallet needs to send the actual coin addresses to ledgers servers so you can see the balance on that address. that info possibly getting out, the amount of coin someone has control of, is worrisome to say the least.

at the very least i would move everything to a new wallet (new seed etc) just so when someone looks up that addy all they will see if what it did have. of course its possible to trace the coins to the new addys.

sucks big time all around.

It's bad news for a company that is supposed to protect the user's funds.

However, being a hardware wallet, no addresses nor funds or any sort of sensitive information pertaining to the user's hardware wallet should be leaked. Hardware wallets shouldn't communicate such information with a centralised server for the sake of security. It's highly likely that what they're saying is true.

Anyhow, the main concern right now is the spear phishing attacks that could be initiated against the users with the information that was obtained from the data breach.

No one wants bad people to get their hands on their data, and this is certainly something that will damage Ledger's reputation. As for me personally, e-mail is not something that is a problem for me, spam ends up automatically in the trash anyway - but I'm more worried about these 9500 customers whose complete data has been stolen.

I also received an e-mail notification, but I would also like to know if I am one of those 9500 unfortunates whose data will be sold on the black market. I have not received any extra spam in my email so far, and Ledger says that they are not found stolen information being offered or sold anywhere on the internet.

they stated that your crypto is safe but i wonder if any coin addresses were leaked. just what people want, name, address and potentially the amount of crypto they own for sale to the highest bidders.

lovely

Bad news for Ledger Cult in bitcointalk forum.  
1 million customer emails leaked and 9500 detailed personal information leaked!
https://twitter.com/Ledger/status/1288452973811703810

I think it is more than what they say and I don't trust Ledger until I see more transparent detailed report.

Yeah, Fund must be save as long the "words" saved as well.

But... our data... who knows 

Our ecommerce and marketing database leaked, we immediately fixed the breach. Contact and order details were involved. Your funds are safe.

What happened?

On the 14th of July 2020, a computer researcher that participated in our bug bounty program notified us of a potential data breach on the Ledger website. We immediately fixed the breach after receiving the researcher’s report and undertook an internal and external investigation of the situation. While conducting the investigation, we discovered an unauthorized third party had gained access to customer information.  

What personal information was involved?

Contact and order details were involved. This is mostly the email address of our customers. Further to investigating the situation we have also been able to establish that, for a subset of customers were also exposed: first and last name, postal address, phone number and ordered products. Due to the scope of this breach and our commitment to our customers, we have decided to inform all of our customers about this situation.

Payment information, credentials (passwords) or crypto funds are not impacted by this data breach. This data breach has no link nor impact on our hardware wallets and the Ledger Live application. Your crypto assets are safe and are not in peril.

What we have done, what we are doing

We have taken immediate action on 14th of July 2020, to resolve the data breach.

On the 17th of July, we notified the CNIL -- the French Data Protection Authority -- about this data breach and are continuing to work with authorities throughout the legal process.

We are continuously monitoring for evidence of our customers’ contact details being disclosed on the internet, and have found none thus far. We also performed an internal penetration test.

We are currently in the process of filing a complaint before the French public prosecutor regarding the unauthorized access and we will support law enforcement investigation.

We are extremely regretful for this incident. We take privacy very seriously, and we sincerely apologize for the inconvenience this matter may cause you.

What you can do

We recommend you exercise caution -- always be mindful of phishing attempts by malicious scammers.

As a reminder, Ledger will never ask you for the 24 words of your recovery phrase. If you receive an email that looks like it came from Ledger asking for your 24 words, you should definitely consider it a phishing attempt.

We suggest you visit Ledger Academy security section to educate yourself on general security principles and more precisely our article about phishing attacks.


For more information

Our blogpost about the data breach, and the FAQ to answer all your questions. For any additional information, you can directly contact our customer support.

To discover our Privacy Policy and understand what we do with your data, please click here.

If you have any questions, or want to exercise any of your rights granted by Applicable Laws and detailed in our Privacy Policy, please contact our data protection officer at [email protected].

---

Articles/posts:
Addressing the July 2020 e-commerce and marketing data breach — A Message From Ledger’s Leadership - Ledger
Data Breach at Crypto Wallet Firm Ledger Exposes User's Personal Info - CoinTelegraph
Crypto Wallet Ledger Loses 1M Email Addresses in Data Theft - CoinDesk