Topic: Ledger(and Trezor) hardware wallet owners: heads up | EDIT: (debunked) - page 2. (Read 685 times)

The risk didn't become a reality now because some hacker claims that he hacked Shopify's database. Each one of us is risking their data being leaked every time we enter some data on a web site. User never knows how his data ona web site is stored and protected. When we register on a web site and enter our information, we choose to trust that web site. No one can guarantee that they database won't be hacked because it can happen to anyone.


I was always wondering about this... Why would someone hack a database and then steal only a small part of it? It could be that in this case Shopify kept their old data in some old database that this hacker managed to hack. If that it true, why do they keep those old databases online? If at some point they decided to move all user data to another DB, why would they keep the old one "alive"?

It's going to be pretty hard to have an accurate statistic for that. You'd really need to put out a large scale poll to hardware wallet buyers. One thing's for sure though, most buyers assume it's secure hence why people buy them. I mean, hardware wallets are pretty much heavily recommended(as it should) in the entirety of the cryptocurrency space.

Whether this is true or not, the fact is that there is a risk now, but also in the future with such and similar databases that are clearly insufficiently protected. Apart from the fact that such a database could physically endanger some of the HW users, it can be used for social engineering (sending phishing e-mails), or SIM swap attacks.

I also believe that such a database would be of interest to the tax authorities, in the sense that it could give them guidelines on who should be closely monitored when it comes to crypto taxes.  

What I also notice is that Ledger DB is (by hacker) contains only 41 488 users, which is definitely too little considering how many devices Ledger has sold so far. Also, by what Ledger has posted so far, comparing the data from screenshots with real DB, they do not match.

Edit - Just found this on Ledger Twitter.


https://twitter.com/l33tguy/status/1264661534380191744

By hacker this database is from period from 2016 or earlier, which would somewhat explain such a small number of Ledger users. Yet it seems to be a simple attempt of scam.

Is there some statistic regarding particular reasons behind people buying hardware? I didn't see one. It may be just for fun since not all people understand why they are buying even bitcoin itself. They might be holding some unreasonable amount of bitcoin or any piece of shitcoin. There is still lack of information for robbers. They are not going to risk just for potential income. However, this unreasonable amount could unexpectedly become reasonable one day and, in this case, the leak will be dangerous for us. The cure is the same: don't talk about cryptocurrency you're holding, this put your in danger, especially in the future when bitcoin is more valuable. People in the future might be robbed just for the sake of 1 satoshi.

Well, most people aren't buying a hardware wallet just for fun. Chances are if you own a hardware wallet, then you have are holding a reasonable amount of cryptocurrency that you are uncomfortable storing in a software wallet. Your coins don't even have to be on the hardware wallet - once an attacker has identified you as a target, they can physically coerce you in to unlocking software wallets, hardware wallets, web wallets, exchange accounts, whatever.

Exactly. Trusting anyone else to hold your coins or hold your data, regardless of how reputable you think they are, always carries a risk.

Create several, and make sure they aren't linkable in any way using blockchain analytics.

If I understood how this attack (allegedly) happened, it's not Ledger's or Trezor's fault. It's Shopify's database that was hacked. However, I wouldn't blame them too much because there is still no proof that the attack really happened.

That's really nasty one. After reading what can they do about my E-mail making me uncomfortable. I use it almost everywhere.

I will start updating it with the services where it is allowed to do so.

Perhaps, the news should be false and all the ledger services must abide to the stringent laws against data protection.

Some will know about it, and some will don't. But in the end, it's really better to have it. Not doing/using something just because thieves could know about it makes little sense. It's like saying that we shouldn't use CCTV cameras or have guns on our homes because thieves know about them anyway. Not really that close of an analogy, but you get what I mean.

Thanks for the reminder and it's something I tell myself every time I feel obliged to trust a company I really like. You see, even if the intentions are good, human error and well, the basic capacity for humans to make mistakes, will eventually cause any company to face this dilemma (even if theoretically).


Tech is tech and there is no human-proof tech yet:) What do we do one day if thieves also know about plausible deniability passphrase?

Bold part is a good way to use a hardware wallet, I can't believe I have used it without that option before. But the most important thing here and why one shouldn't worry about shipping address leak is the fact that possesion of the hardware wallet doesn't mean one have money stored in there. Hackers and robbers need to know precisely whether their victim has any big money or not. Really, it doesn't make any sense to attack everyone who has ever bought a piece of hardware. So, just don't talk about how many bitcoins you have and you are fine.

If you bought a hardware wallet from either Ledger's or Trezor's official site, then you will also have had to give a name and address. This is what is worrying most people, as someone can now show up at your house with proof that you have a hardware wallet and commit physically force you to hand over your coins.

Also, if the email address you have given them is the same email address you have used for other crypto activities, particularly valuable accounts such as web wallets or exchange accounts which may be holding funds, then (if this hack turns out to be true) someone could try to access these accounts. An email address as well as your real name and address might be enough to convince a support team somewhere to reset your password.

Okay that is the most important thing for me, the fund security.
Otherwise it would have made an impression that cold storage is also unsafe now. Lol.

I don't remember sharing my phone number, it's only E-mail with 2FA security so I don't think anyone can misuse it besides sending spam mails.

That's a relief though if my coins are safe. Thanks for info.

Most companies will keep the personal data of their customers on file, largely for law enforcement and compliance reasons. The privacy policies of both Ledger and Trezor allow you to request to have your details erased from their databases though. I'll quote a post I made on another thread about this at the bottom of this post. I'd be very surprised if it turned out that either Ledger or Trezor were actively selling customer details though - such a thing would lose them a vast number of customers.

From what Shopify, Ledger, and Trezor are all saying, this hack appears to be fake, but there is still a certain irony to it. We spend a lot of time on here talking about how best to use hardware wallets, are they secure enough, can they be trusted, using passphrases, storing seeds, airgapped wallets, etc., etc., and a mass $5 wrench attack is still the most likely way you will lose your coins. Now's the time to think about using a passphrase for plausible deniability if you don't already.

Your email address will be on a database somewhere. Whether it is the same database that his hacker claims to have, we don't know. That's why I would always suggest using multiple different email address for different purposes, and the one you use for crypto-related activities should not be tied to your real name or address in any way.

---

Your bitcoin and other altcoins are safe. The only thing you should worry is that the personal information you surrendered to the mentioned company are at risk of being compromised by illegal dealers in the blackmarket.

Your ledger and your crypto is not correlated from the data breach but your sensitive information when your bought your cold storage does. Your coins are safe unless there is a $5 Wrench attack,

I never opened up my ledger after creating the backup for the initial set up.

So does it mean my data is still secure for my ledger ?

What I mean is, I never connected it with network till now after first set up.

Or is it like they have fetched the data from stored servers of ledgers or whatever storage location is there? Shall we afraid of our coins in the ledger ?

Even for those who contacted support? They have to submit emails when creating support tickets.

Man, just a few weeks ago one of the biggest e-commerce databases that I use was leaked and now this. Still, assuming this is real, I'm not sure how they will select their victim. What a big joke if they come to one of the addresses, got the wallet, forcing the owner to tell the password but he doesn't have any funds left.

I got my ledger through mew competition, so even if it's true, my details should be safe 

We could definitely easily say that companies keeping your information is unnecessary, but let's not forget that the government likely(though I have no sources to give) requires businesses and companies to have a database of their customer's information. This is not a black or white situation.

I doubt this case, (Shopify is a ledger and trezor seller)  communications manager at Shopify e-commerce website, says:
But the TREZOR and LEDGER steps I think are correct. The company must act seriously to investigate. Because the good name and trust can be lost with this news. If this is the fault of the reseller, there can be an evaluation for Shopify.

Source: https://decrypt.co