Author

Topic: Ledger Shop leaking info AGAIN?! (Read 200 times)

legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
February 20, 2021, 08:50:27 AM
#16
I know this shouldn't be necessary BUT folks who order these devices need to protect themselves by being smart about how they handle the orders.  Anonymous emails, untraceable to YOU delivery locations, no "real names" being used, etc......  I imagine those brand new to crypto deciding to order a hardware wallet don't think it through.  Most of us reading this thread would KNOW how to do it properly, but the newbies are operator error just waiting to happen!

Hardware wallets are mostly purchased by newbies, but you would be surprised that even many regular users purchased hardware wallets with their real name, address and phone number.
Experts, more advanced bitcoiners and paranoid people would most likely never buy a hardware wallets, but they like to create their own cold storage and airgapped devices, and nothing wrong with that.
People can choose what they want, and I think most of them don't care about privacy at all until something bites their ass.

That's a bit extreme. I know a lot of people who have been here for years and still use HW wallets.
No, I don't use one as my cold storage, but I do use one as my "warm"
Cold = engraved seed words / key in a bank vault.
Hot = multcoin wallet on my phone, that until this last runup my phone was worth more then stored coins.
Warm = trading, buying selling collectables, etc. Electrum with a coldcard. Compromise my laptop, I don't care.

Back to the topic at hand, Ledger has got to get their heads out of their asses. 1st time it happens should be the last time it happens.

Fine, they were using shopify. 1st time there was an issue with shopify you leave them. Even if it's not the fault of them, you leave and do it yourself.

Setup a BTCPay server for crypto payments and then get a Square account or PayPal or Amazon Payments or any one of a dozen different credit card processors to take cards and you are done. If you web / IT team cant do that in a few days then fire them and get better ones.

-Dave
legendary
Activity: 2212
Merit: 7064
February 20, 2021, 06:57:17 AM
#15
I know this shouldn't be necessary BUT folks who order these devices need to protect themselves by being smart about how they handle the orders.  Anonymous emails, untraceable to YOU delivery locations, no "real names" being used, etc......  I imagine those brand new to crypto deciding to order a hardware wallet don't think it through.  Most of us reading this thread would KNOW how to do it properly, but the newbies are operator error just waiting to happen!

Hardware wallets are mostly purchased by newbies, but you would be surprised that even many regular users purchased hardware wallets with their real name, address and phone number.
Experts, more advanced bitcoiners and paranoid people would most likely never buy a hardware wallets, but they like to create their own cold storage and airgapped devices, and nothing wrong with that.
People can choose what they want, and I think most of them don't care about privacy at all until something bites their ass.
hero member
Activity: 761
Merit: 606
February 19, 2021, 02:49:31 PM
#14
Damn, Ledger really needs to fix how they handled their customers' data. Who in their right mind would buy from them when stuff like this happens regularly. I hope Trezor or its competitors don't do the same mistake (and hopefully it is not a matter of when their cock-ups got published too).

That's just the tip of the iceberg. Many businesses mishandle customer data in egregious ways - e.g. emailing it around in spreadsheets, or these days more likely keeping in some publicly shared cloud thingy. Only by some dumb luck and lack of interest from outsiders most of it doesn't get leaked. I would have thought Ledger was the rare business that was a little bit more careful due to the... well, nature of their business. Obviously I was wrong. I no longer have any reason to believe Trezor would be different.

I know this shouldn't be necessary BUT folks who order these devices need to protect themselves by being smart about how they handle the orders.  Anonymous emails, untraceable to YOU delivery locations, no "real names" being used, etc......  I imagine those brand new to crypto deciding to order a hardware wallet don't think it through.  Most of us reading this thread would KNOW how to do it properly, but the newbies are operator error just waiting to happen!
hero member
Activity: 761
Merit: 606
February 19, 2021, 02:44:22 PM
#13
Look at this now, the other guy who ordered ledger and received all private information from the first guy, decided to cancel his order from ledger after this privacy fiasco, but ledger told him they already sent it and he needs to refuse accepting the package and they will refund him later.
Their support is bad, but he learned his lesson.

I am sure this is not the only case something like this happened but this is just first that got exposed in public.
One couple is Sweden recently got attacked at their home by armed robbers and they forces owners to hand them over 1M SEK in Bitcoin.
This could well be connected with previous ledger leaks as there are confirmed customers from Sweden and police investigation is suspecting about this also.

I just can't understand that any website would have such low security and lack of care for privacy of their customers, but I guess I am not so surprised if I remember small research I done few months ago showing that their website is full of ads and trackers, and I am not saying that Trezor is doing much better regarding this issue.


Yep, when I posted my concerns above I was actually thinking about $5 dollar wrench attacks.!  As a counter-measure its too bad the couple in Sweden didn't utilize hidden wallets.  At least they would have only lost their "decoy" wallet.
legendary
Activity: 3654
Merit: 8909
https://bpip.org
February 19, 2021, 08:30:30 AM
#12
Damn, Ledger really needs to fix how they handled their customers' data. Who in their right mind would buy from them when stuff like this happens regularly. I hope Trezor or its competitors don't do the same mistake (and hopefully it is not a matter of when their cock-ups got published too).

That's just the tip of the iceberg. Many businesses mishandle customer data in egregious ways - e.g. emailing it around in spreadsheets, or these days more likely keeping in some publicly shared cloud thingy. Only by some dumb luck and lack of interest from outsiders most of it doesn't get leaked. I would have thought Ledger was the rare business that was a little bit more careful due to the... well, nature of their business. Obviously I was wrong. I no longer have any reason to believe Trezor would be different.
legendary
Activity: 2170
Merit: 1789
February 19, 2021, 04:15:50 AM
#11
Damn, Ledger really needs to fix how they handled their customers' data. Who in their right mind would buy from them when stuff like this happens regularly. I hope Trezor or its competitors don't do the same mistake (and hopefully it is not a matter of when their cock-ups got published too).
legendary
Activity: 2212
Merit: 7064
February 18, 2021, 04:30:07 AM
#10
Look at this now, the other guy who ordered ledger and received all private information from the first guy, decided to cancel his order from ledger after this privacy fiasco, but ledger told him they already sent it and he needs to refuse accepting the package and they will refund him later.
Their support is bad, but he learned his lesson.

I am sure this is not the only case something like this happened but this is just first that got exposed in public.
One couple is Sweden recently got attacked at their home by armed robbers and they forces owners to hand them over 1M SEK in Bitcoin.
This could well be connected with previous ledger leaks as there are confirmed customers from Sweden and police investigation is suspecting about this also.

I just can't understand that any website would have such low security and lack of care for privacy of their customers, but I guess I am not so surprised if I remember small research I done few months ago showing that their website is full of ads and trackers, and I am not saying that Trezor is doing much better regarding this issue.
legendary
Activity: 2730
Merit: 7065
February 17, 2021, 02:41:12 PM
#9
This is so frightening from ANY security standpoint.  There are people that live in regions of the world where "knowledge" that they even own crypto is life threatening.
That's a good point, although I would ask whether it's truly illegal to own a Ledger device anywhere in the world.  Obviously it might lead to some questions on the part of a government agency looking to prosecute someone for crypto possession (if that's even happening), but buying a Ledger does not equate to owning cryptocurrency.  That would have to be proven separately I would think.
Iran is one of the countries where bitcoin is banned if I am not mistaken. Imagine the following scenario. A government official who knows a bit about crypto gets his hands on a leaked Ledger database that lists the names and addresses of their customers. He does a simple CTRL + F search and puts in 'Iran'. Everyone on the list has his home searched, and probably many hardware wallets would get found. Iran isn't a democratic country, so I can imagine the army threatening people with accusations and affiliations with terrorism activities or money laundering if they don't show them what they keep on their wallets. Scary stuff.  
legendary
Activity: 3556
Merit: 7011
Top Crypto Casino
February 17, 2021, 02:20:32 PM
#8
This is so frightening from ANY security standpoint.  There are people that live in regions of the world where "knowledge" that they even own crypto is life threatening.
That's a good point, although I would ask whether it's truly illegal to own a Ledger device anywhere in the world.  Obviously it might lead to some questions on the part of a government agency looking to prosecute someone for crypto possession (if that's even happening), but buying a Ledger does not equate to owning cryptocurrency.  That would have to be proven separately I would think.

Anyway, this looks to me to be a one-time fuckup and whether it's on the part of Shopify or Ledger it doesn't seem to point to a pattern of security lapses.  It's unfortunate, to be sure, but I'm not ready to crucify Ledger based on what happened here. 

OP, you obviously can't stand Ledger and I respect that.  They're a beloved company in the small world of hardware wallet enthusiasts, but that doesn't mean they should go without criticism.  And I'd say they need to figure out what happened here and fix their shit before it happens again, because what did happen isn't cool at all.
hero member
Activity: 761
Merit: 606
February 17, 2021, 01:46:19 PM
#7
This is so frightening from ANY security standpoint.  There are people that live in regions of the world where "knowledge" that they even own crypto is life threatening.
legendary
Activity: 2212
Merit: 7064
February 17, 2021, 01:29:06 PM
#6
You do not trust them at all, what was your bad experience?

It's not only me but all other people who purchased this junk and got all their personal information exposed to scammers and criminals over and over again.
I don't look at hardware wallets like on some new religion or sect, so if there is something bad I would not put it under the carpet but expose everything in public, but looks like they like to hide things very much.
They also love to bash all other hardware wallet manufacturers and glorify their own.

I don't know about that. I've dealt with Shopify quite a bit and I could fill about 20x64KB posts here with all the different ways it sucks, but I find it hard to believe that this is not Ledger's cock-up. It looks like they attached the wrong receipt or something. But what can you expect if their "co-founder" pretends to have a "developer point of view" with asinine statements like this:

No. Fuck no. This is transactional data, both in the business sense and in how you're supposed to treat it, not some social media bullshit that you throw into a bucket and hope it's the right bucket.
Don't get me started about this btchip co-founder prick and his attitude, and what kind of developer is also working as full time reddit moderator?  Roll Eyes
Can't they afford to hire some normal moderator for that but co-founder must act as support saying he is also a developer.


legendary
Activity: 3654
Merit: 8909
https://bpip.org
February 17, 2021, 12:00:32 PM
#5
That issue has to be on Shopify's responsibility.  The only thing Ledger should be blamed for is the fact that they're still using Shopify.  They really need to work that shit out.  I have no reason to promote Amazon, but at least their service works and is secure.  Ledger needs to pull their products from Shopify, and pronto.

I don't know about that. I've dealt with Shopify quite a bit and I could fill about 20x64KB posts here with all the different ways it sucks, but I find it hard to believe that this is not Ledger's cock-up. It looks like they attached the wrong receipt or something. But what can you expect if their "co-founder" pretends to have a "developer point of view" with asinine statements like this:

Loading...

No. Fuck no. This is transactional data, both in the business sense and in how you're supposed to treat it, not some social media bullshit that you throw into a bucket and hope it's the right bucket.
legendary
Activity: 2702
Merit: 4002
February 17, 2021, 11:07:45 AM
#4
Many question are raised about how Ledger  deal with the privacy of their clients. It is better for them to work to improve their reputation, but I think this problem is individual. Until this problem is solved, it is best to ship to your work or PO box.

archive just in case ledger deletes that post: https://archive.vn/Uvn1K
You do not trust them at all, what was your bad experience?
legendary
Activity: 2212
Merit: 7064
February 17, 2021, 07:29:17 AM
#3
That issue has to be on Shopify's responsibility.  The only thing Ledger should be blamed for is the fact that they're still using Shopify.  They really need to work that shit out.  I have no reason to promote Amazon, but at least their service works and is secure.  Ledger needs to pull their products from Shopify, and pronto.

I wouldn't go so far as to call Ledger's products "crap" just because of a this marketing mishap.  I myself prefer the competitor's hardware wallet, but the Ledger is a decent product as well.

Well their mister co-founder just said it was their own mistake and not shopify, and as long as you purchase that thing on their website they are responsible 100%

Quote
From a developer point of view this typically looks like a synchronization issue when several components of the platform communicating together are under heavy load. I'll report what's the result of the investigation when it is available.

Quote
this is way more likely to be a one time issue due to the volume of orders, or a batch going wrong. If it happened all the time we'd have noticed already.

Their product is perfect for leaking all your personal information for everyone to know and abuse, and I promise you that someone will sooner or later break their closed source thing, with only 'protection' being signed NDA.
Even if devs find a flaw in it they can't publish it because of that NDA.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
February 17, 2021, 07:22:28 AM
#2
Some people may blame this on Shopify again but it is clear that this is serious security flaw from ledger amateurs.

I mean wtf, how low can ledger fall seriously? And why are people still ordering this crap?

That issue has to be on Shopify's responsibility.  The only thing Ledger should be blamed for is the fact that they're still using Shopify.  They really need to work that shit out.  I have no reason to promote Amazon, but at least their service works and is secure.  Ledger needs to pull their products from Shopify, and pronto.

I wouldn't go so far as to call Ledger's products "crap" just because of a this marketing mishap.  I myself prefer the competitor's hardware wallet, but the Ledger is a decent product as well.
legendary
Activity: 2212
Merit: 7064
February 17, 2021, 07:01:20 AM
#1
I just love reading ledger wallet reddit page with posts and comments from different people and latest one is very interesting.

It appears that ledger is still using Shopify for their shop, and this is what happened to one guy who ordered ledger wallet in the end of January.
Six hours after ordering he received an email from another guy who also ordered ledger and got all sensitive ordering information with price, shipping address, email, and phone number from first guy and he even made screenshots to confirm!

He sent and email to ledger support but received stupid machine automated reply.

Some people may blame this on Shopify again but it is clear that this is serious security flaw from ledger amateurs.

I mean wtf, how low can ledger fall seriously? And why are people still ordering this crap?  Roll Eyes


https://www.reddit.com/r/ledgerwallet/comments/llm3yp/beware_ledger_shop_appears_to_be_leaking_order/
archive just in case ledger deletes that post: https://archive.vn/Uvn1K

Answer from ledger co-founder btchip, that clearly admits they are amateurs:
Quote
From a developer point of view this typically looks like a synchronization issue when several components of the platform communicating together are under heavy load. I'll report what's the result of the investigation when it is available.
Quote
this is way more likely to be a one time issue due to the volume of orders, or a batch going wrong. If it happened all the time we'd have noticed already.
Jump to: