Topic: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok (Read 311 times)

Man, you are a visionary. Putin has already enforced such rules by signing the law which "prohibits the use of cryptocurrency as a payment means". I wouldn't be shocked to learn they start to compile the list of those citizens who already used it.

Hello maybe yes, but there is a confirmation message which DmdrDmdr saw on twitter. There is unique email that will be sent a second one with the specific leaked on each user. Ive just recently bought my ledger so Ive expect my email used could be included ( hope not) but I followed up a message to them confirming and just waiting their response.


This is reassuring. Not really a big holder, emailed leaked is really frustrating especially if its your personal email that was used in purchasing the unit.

An email demanding such course of action would likely not be taken seriously (meaning by that, executed correctly) unless the corporation has a properly tested inner protocol already established for such cases, and the jurisdiction they are under covers the event.

For example GDPR allows you to demand your personal data to be deleted, but there are many things to consider in the equation. A purchase order can be considered as a financial contract, and financial contracts need to be stored for a certain amount of years, superseding GDPR. Additionally, backups are another potentially exploitable weak point (and that is one hell of a job to delete from a backup in general).

Even so, if one is concerned, and the case here raises awareness and concerns, one is always entitled to try and see what kind of response they get, alongside the guarantees that the deletion actually takes place (if at all).

A random shower thought I just had: would e-mailing these companies and kindly asking them to erase all the data they stored about you be a good idea to consider for future orders/accounts we make? I think it does increase the chances of not being part of future data leaks/hacks, or it at least decreases the amount of information one could steal.. especially for orders from companies such as Ledger, from where you rarely place orders at all.

You'd be surprised what a certain country's government would do just to get what they want. Probably safe for now since most countries are pretty chill with bitcoin and cryptocurrencies in general, but wait til some of them enforces strict rules.

I think government could not do harm to their community wether holding crypto or not. But I guess the real problem is all about misuse of the identity being taken from the said event. It is likely a big problem to those individuals especially if their identity will be use for criminal activities and get drag into it by the misuse of the criminals. I have obeserve that government does not really rely based on stories when they caught a suspect. They rely on the evidences and identity being exposed of the crime.

Sure it's really likely that the database wouldn't be given to some criminals(or publicly leaked) today or tomorrow, but yea this is something people shouldn't set aside for the meantime and deal with it in the future instead; which I assume people are doing.

Anyway, this shouldn't solely be a $5 wrench issue. The data being publicly available also means the government is going to know which people actually poses bitcoin and cryptocurrencies; which is also definitely a bad thing.

No, the chances it was the government who did this, hacking into the ledger system and stealing users email addresses is almost nil in my opinion, some governments obviously may not support crypto, but they also don't sell people's email addresses in the black market or try to scam through phshing mails, the hack surely is the work of scammers who have always targeted crypto (bitcoin) users ever since its value skyrocketed.
I'm so sure ledger users will be getting extremely paranoid atm, i also want to add that should the hackers sell this data to people who can actually do physical damage, it will be carried out many months from now, not at this time the issue is still 'hot topic', so those 'breached' users should up their guard, not just for the meantime, but for many months to come

Ladies and gentlemen, if you have have been a customer of Ledger and you got their products delivered in your home, now might be the perfect time for you to learn about $5 wrench attacks.

• https://cryptosec.info/wrench-attack/
• https://blog.keys.casa/how-to-protect-your-bitcoin-from-5-wrench-attacks/

Ok, thanks. Good to know that those 9.500 customers involved in the personal data breach were explicitly informed on which specific data was involved. This was done through a second email, distinct from the one reflected in the OP, which was sent to the 1M breached emails.

I’ve skimmed through the whole twitter conversation, and have found one reference from a person who allegedly bought his Ledger device 3 years ago, and received the above described second email. If the case is true, the pattern (which is not revealed) does not circumscribe to those that made a recent purchase (as some people speculated there).

Ledger doesn't appear to have enough customer information for identity theft. The main concern is phishing given that that 1 million email addresses were compromised. There may be a theoretical chance of $5 wrench attacks, but since there is no association between Ledger customers and actual cryptocurrency holdings -- no way to target big holders -- the chances seem remote.

If you received an official email from them, then you are one of the 9,500 customers affected by the hack.

Please check the sender to be sure if it's actually from Ledger.

We can't say for sure since they can store customer data for up to 10 years.


Those 9,500 customers affected are probably fuming upon learning their personal data got leaked. I'm not victim blaming or anything but I wonder if they all read what's stated in the Ledger's Privacy Policy?

- https://shop.ledger.com/pages/privacy-policy

They can request for the erasure of their personal data but the risk was already there when they bought their wallet. I don't think Ledger will ever change their privacy policy but this is something potential customers should be aware of too.

Ive received too the security notice from Ledger, but checking in on their social media how to know if I were part of those. I think my information were safe. At first I thought the mailed was a spam email but checking the social media and it did sync in that they were breached.

---

Can anyone from ledger users confirm here if ever you got emailed from them about the qoute aboved? I think they should aplogize to those 9500 users who were affected and give them compensation and assurance just in anycase their profile has been caught doing any illegal activity as scammer can used their details.

Yes pretty sure Identities could be use in scamming. There are many individuals being directed as scammers even not really connected to the scam instead it was only his identity being used to prove that they are legit and exposed the victims Identity. This is a very serious problem in the future. It is because identities can be use and tag to a scam activities. This is even common to facebook where many users are copying pictures and identity of others then selling. The hard part is that identity is not the true identity of the scammer.

They specified this on Twitter:


I guess you can breathe easy if you haven't received an email specifying that you were part of the smaller breach.

This is all very disappointing considering what Ledger is in the business of. This is yet another reminder -- don't reuse email addresses, and use P.O. boxes for sensitive purchases.

To add to what @HeRetiK has already said, hackers are more likely to sell your data rather than use it. Trezor's blog actually covers this:


Actually utilizing the hacked data is usually a big operation, and the hackers themselves may not have enough resources to fully take advantage of it. That being said, your data could easily end up with a random person/group within your vicinity, and we have no idea what kind of action they would take. I agree that it's far more likely for them to be used in a social engineering attack, but physical assaults relating to crypto aren't unheard of (and it might even be safe to assume that they're uncommon because attackers aren't aware who HODLs; this dataset can provide them with a full list), so I'd say it's important to highlight this risk.

This information release explains the incident a wee bit further:
 https://www.ledger.com/addressing-the-july-2020-e-commerce-and-marketing-data-breach

If we take it as is:

- The data breach was performed through an unauthorized use of an API Key to access both the Marketing and e-commerce data.

- They figure that 1M email addresses may have been retrieved through the API (I figure they keep logs of API usage, and should be able to be certain of this fact).


- Personal stolen data was delimited to that of 9500 customers (they do not provide a criteria here to know who may be affected by this part of the breach).

- All affected customers have received an email with information on this breach. Therefore, if you’ve received an email such as the one in the OP, you are amongs those breached. There is no information on whether the 9.500 customers that have had their personal data breached, have or have not been explicitly notified of this fact.


The positive side (so as to say) is that the personal data breach is delimited to a very small portion of the database. Emails are going to be used for phising campaigns for sure, so be wary of any email you receive related to ledger: check the sender properly, and contrast with the official Ledger website. Do not panic and rush to providing mnemonics at any time on any site, and do not move to downloading anything related from an external link (i.e. alleged Ledger Live updates).

I wonder if older customers have been affected as well or just recent ones. IIRC, they once said older customers are deleted from their database for security purposes. The fact that it's the second time something like this happens is worrying, to say the least.

I'd say a wrench attack isn't very likely for most customers, but is something they should consider - especially if bigger or more popular names are involved.

They got owned for 4 days, and only now they announce about it. Not smart. Why not announce it on the day they got exploited and warn users  from giving "24 words of your recovery phrase" to someone.

Not a single word about compensation to 9500 customers. This will strike hard on their reputation. I expect used ledgers appear on the market, as well as discounts in ledger shop.