Topic: Ledger(and Trezor) hardware wallet owners: heads up | EDIT: (debunked) (Read 709 times)

he just made a text file of PUBLIC ADDRESSES and told a naive second party that they were security keys attached and to notorise the PUBLIC addresses as collateral to then scam the aussie tax office and then rescam private investors.

right now he is trying to patent and case law create proof of something to then try selling these patents and his 'story'(book deal) to repay debts.

he is a scammer doing scam after scam pretty much a 'rob peter to pay paul' to scam person after person to scam scam scam.

he has no collateral originating as his own. its all scam and trickery to syphon money from investors and try repaying bits out to try keeping them calm and prolong it as long as possible

Hmm, this would be almost impossible here, even if I would try paying in cash, I would have to buy most of the stuff from Aldi or other chain stores as most electronics stores ask for your name and data even if you're paying in cash. Besides for most things the warranty is void without a name printed on it, so you'd have to id yourself at least once.


Yeah, one of the things people always forget when it comes to security.
One additional thing is that if in the case of a bank transfer that is reversible in case you have been robbed and your bitcoins have entered the thief account....good luck retrieving them.
You can jail him, 20 years in prison, but when he comes out if he has hidden the keys good enough he still has the loot and nobody can do anything about it.

I remember a debate about bitcoin ending corruption...
If I would be a persona accepting a bribe I would simply have a QR code on a piece of paper on my desk and point to it, prove in court I own that address, prove in court I have the funds, try and take my coins away.  



Big names already have all their info available if you do a simple search, you can get their address in a few minutes looking at their FB pages, for god's sake, some Yt Instagram or FB "influencers" actually let people know their phone number and mail their fan art or gifts directly to their home. Everybody knows about the big names, we have gossips all day about that guy and this guy buying coins, winning an auction investing in it.

When your name is unknown how would a thief know you are storing millions or 2000$ or if you haven't  gifted it already just from your name?

I've read before that hardware wallet isn't that fully secured at all especially when you ordered it online in a cheap prices, coz we all want to buy at cheap price right?, but for some reason hackers do take advantage of it too. I barely remember Where did I read it but the article was about amazon sellers or should I call them resellers, where they sell ledgers, trezor, and any hardware wallet with tampered private keys or the security is already breach by them just before you have an access with it, in short the are the owner of it.

I wrote a reminder of it here in the forum, you can check the discussion here https://bitcointalksearch.org/topic/m.54268928

If you have a hardware wallet you must read this. https://newsblockchain.io/news/hardware-wallets-are-not-all-equally-secure
Your data can be already compromised but you still don't know that

Ledger Nano S and Trezor are some of the best, safe and secure wallets ever. in a Ledger Telegram channel they are saying that it's official, they are not hacked. Ledger already claims that the rumours are false. You need Always think twice when handing over personal information, especially on shady websites.

But in the financial sector this is very dangerous. A class of sellers of a brand of digital currency storage  Trezor and Ledger, if not able to maintain the secrecy of these buyers is sad. Trezor and Ledger should monitor their resellers, if necessary there must be permission through the fulfillment of buyer's requirements guarantee security.

yeah, certainly you have a point here.

But when I buy a bed and they deliver it to my house, walmart/etc share this data and many companies will have your data (phone, address, name ,email). While ledger (theoretically) don't, as they are "concerned" about privacy (unless if there is a data leak lol)...

Sadly, our situation is very complicated to protect our privacy...

I have a bank account, yes. Unfortunately, it is impossible for me to live without one.

I have all these items, all bought in person, paid for in cash or bitcoin where possible, and taken home by myself. When I moved house, I dismantled and packed everything myself, and moved with the help of one friend and his truck. I also use Amazon, paying entirely in non-traceable giftcards, and delivering to a drop off location which I later pick up from.

Is it a bit of an inconvenience to do all these things? Sure. Is it worth it to keep my personal data out of the hands of the likes of Google, Amazon, Facebook, and everybody else who wants it? Definitely.

Even if they had delivered to me, it isn't. Strangers knowing that you own a bed is absolutely not comparable in terms of risk to strangers knowing that you own a hardware wallet.

When i wrote that I remembered we chatted about it a few weeks ago...

But how can you avoid giving information to "any of these sites"?

You are a physician, right? Do you only receive payments in bitcoin? If you have a bank account, you gave your perfonal information to those sites.

If you ever bought something online, you gave your information to those sites.

Do you have a TV in your house? A bed? a refrigerator? Did you carry those itens personally in your back, or did you gave your personal information to those sites so they could deliver it in your house? If they delivered it to you, your situation is worse than ledger customers...

Unless you are an alien or someone like Jameson Loop, all your data is available to those companies.

I read this a few months ago (couldn't find the original, but this one is enough)
https://www.nytimes.com/2019/03/12/technology/how-to-disappear-surveillance-state.html

His measures included renting a fake apartment to receive stuff from walmart, purchasing a tiny second property just for this purpose,Make up a fake name for casual interactions, Get a new phone number (do you have one for more than a year?), Create a new corporate identity, hiring a personal investigator to test his set up  and so on.

Do you have children which do not follow all those crazy stuff? Well, so all your privacy concerns are basic useless...

I think we need to separate idealism from reality.

Edit: I use adblock, firefox, I do not give personal data to any exchange or airdrop, I try to avoid google products (but i have some of them...) I think I am worried about privacy more than 99% of people, but there is a limit to this.

I gave my docs to the 2 exchanges that I use fiat/btc and 3-4 traditional stocks exchanges, I buy stuff online to deliver in my house and so on. I care about privacy, but I don't have secrets. Walmart need my address to deliver stuff in my house, for example.

I have seen in a Ledger Telegram channel about this and they are saying that it's official, they are not hacked.

https://www.ledger.com/our-ecommerce-database-has-not-been-hacked

Some of us care. Some of us care enough to not give our personal information to any of these sites.

Still, the issue here is people worrying about become a target for a physical attack. It's very hard to hold someone at gunpoint and make them empty all their fiat accounts in to yours - there will be withdrawal limits, extra security checks, phone calls to and from the bank, delays, etc., not to mention the attacker must use a bank account not linked to them but they can still access so they aren't immediately identified. Conversely, you can hold someone at gunpoint and make them empty all their bitcoin wallets in to yours in 5 minutes, completely anonymously, without any additional security checks.

I don't want the whole world knowing my name and address, and I certainly don't want the whole world knowing my name and address and the fact that I've bought hardware wallets.

There is too much fuzz about so small thing imo.

We give our personal data to banks, financial institutions,  department stores such as Walmart, Amazon etc, government institutions and so oneverytime.

Those websites  openly sell and share our data with their partners , and nobody cares.

This is why we receive marketing calls, advertisements in SMS an spam in our emails.

When a cryptocurrency related company have a rumored small leak, the world falls apart...

Well, many don't even know this could be a problem first of all. For example, there are lots of people storing critical data in cloud storage - this database security thing is pretty much something you learn about if you are interested in tech. I'm talking about smaller businesses too, not necessarily corporations which certainly do have some workers building up stronger security.

The thing I'm trying to underline is, the things governments could solve and find out by asking a business to hand out a specific customer's data might be nothing compared to the damage a large security breach could do.

I wasn't specifically saying that Shopify and Ledger are shady websites, I even use Shopify myself. I was just putting out a point for the people who think it's fine giving away your home address to various websites.

Yeah, but you can't call Shopify a shady website. They are well known for years and majority of users trust them with their data. Besides, if Ledger as a company use them to sell their devices, why would some user think of them as a shady website?


If a government requires businesses to store customer data, then it should require some level of database security. If a business gets their customer's data stolen due to a database hack because of some unfixed security hole, then that business could to be blamed too.

It is quite scary how a little database leak could lead to a huge chain of robberies involving potentially millions of USD, specifically if big names & their addresses are leaked. The worst part is, governments may require businesses to store customer details but a business doesn't always have a high level database security. In fact, I'd guess most of them don't.

Update: Ledger already claims that the rumours are false. While we can all have our sighs of relief now, make this be a wake up call that it's heavily not recommended to be handing over personal information on a lot of websites. Always think twice when handing over personal information, especially on shady websites.

I understand what you are referring to, but I'm saying that the risk of someone hacking this database has always been real. The best thing now would be that this turns out to be fake, but that it "teaches" Ledger, Trezor and Shopify to always fix the security holes in the software. Because, like you said - the biggest problem is that information can be used to hurt people and steal their money.


Yeah, that's true. But I don't understand why would someone wait 4 years to sell something like that. He certainly would get much more money if the hacked data was newer

But nevertheless, I hope this one turns out to be fake.

I am referring to a specific situation like this, not to general database hacking. If this were true then such a database would be a really big security risk, because each customer can be identified by full name, email address and phone number. Here we are talking about people who mostly own some significant amounts of crypto, and a way to locate and physically rob them, with of course sophisticated remote attacks via email/SMS/or phone calls.



So as I already wrote (based on tweet) the hacker claims that this is a database from 2016 or earlier, which means that it can only contain the earliest customers. I don't know where you get the idea that someone hacked the database yesterday and then only sells data from 2016? This database (if it exists at all) could have been hacked 4+ years ago, and has only now appeared on the market.

It could be, but the fact that Shopify is highly secured this might be just a false allegations. Shopify has a lot of third-party  but they are more secure than their competitors even some of them are self-hosted like Magento and Woocommerce. But then there is a risk of customers data that could be use to identity theft or any illegal activities online, Shopify should look deeply down to this.

Data breaching is harder than what you think, hackers could get into it but there are times that new data are being handle by different server with different security.

Why they keep the data online? - It has to do with their PCI compliance to implement and maintain a firewall.

I'm worried about those people whose data has been stolen like the name, address and phone number. If this came out to be true, they could be in danger.

The risk didn't become a reality now because some hacker claims that he hacked Shopify's database. Each one of us is risking their data being leaked every time we enter some data on a web site. User never knows how his data ona web site is stored and protected. When we register on a web site and enter our information, we choose to trust that web site. No one can guarantee that they database won't be hacked because it can happen to anyone.


I was always wondering about this... Why would someone hack a database and then steal only a small part of it? It could be that in this case Shopify kept their old data in some old database that this hacker managed to hack. If that it true, why do they keep those old databases online? If at some point they decided to move all user data to another DB, why would they keep the old one "alive"?

It's going to be pretty hard to have an accurate statistic for that. You'd really need to put out a large scale poll to hardware wallet buyers. One thing's for sure though, most buyers assume it's secure hence why people buy them. I mean, hardware wallets are pretty much heavily recommended(as it should) in the entirety of the cryptocurrency space.

Whether this is true or not, the fact is that there is a risk now, but also in the future with such and similar databases that are clearly insufficiently protected. Apart from the fact that such a database could physically endanger some of the HW users, it can be used for social engineering (sending phishing e-mails), or SIM swap attacks.

I also believe that such a database would be of interest to the tax authorities, in the sense that it could give them guidelines on who should be closely monitored when it comes to crypto taxes.  

What I also notice is that Ledger DB is (by hacker) contains only 41 488 users, which is definitely too little considering how many devices Ledger has sold so far. Also, by what Ledger has posted so far, comparing the data from screenshots with real DB, they do not match.

Edit - Just found this on Ledger Twitter.


https://twitter.com/l33tguy/status/1264661534380191744

By hacker this database is from period from 2016 or earlier, which would somewhat explain such a small number of Ledger users. Yet it seems to be a simple attempt of scam.

Is there some statistic regarding particular reasons behind people buying hardware? I didn't see one. It may be just for fun since not all people understand why they are buying even bitcoin itself. They might be holding some unreasonable amount of bitcoin or any piece of shitcoin. There is still lack of information for robbers. They are not going to risk just for potential income. However, this unreasonable amount could unexpectedly become reasonable one day and, in this case, the leak will be dangerous for us. The cure is the same: don't talk about cryptocurrency you're holding, this put your in danger, especially in the future when bitcoin is more valuable. People in the future might be robbed just for the sake of 1 satoshi.

Well, most people aren't buying a hardware wallet just for fun. Chances are if you own a hardware wallet, then you have are holding a reasonable amount of cryptocurrency that you are uncomfortable storing in a software wallet. Your coins don't even have to be on the hardware wallet - once an attacker has identified you as a target, they can physically coerce you in to unlocking software wallets, hardware wallets, web wallets, exchange accounts, whatever.

Exactly. Trusting anyone else to hold your coins or hold your data, regardless of how reputable you think they are, always carries a risk.

Create several, and make sure they aren't linkable in any way using blockchain analytics.

If I understood how this attack (allegedly) happened, it's not Ledger's or Trezor's fault. It's Shopify's database that was hacked. However, I wouldn't blame them too much because there is still no proof that the attack really happened.

That's really nasty one. After reading what can they do about my E-mail making me uncomfortable. I use it almost everywhere.

I will start updating it with the services where it is allowed to do so.

Perhaps, the news should be false and all the ledger services must abide to the stringent laws against data protection.

Some will know about it, and some will don't. But in the end, it's really better to have it. Not doing/using something just because thieves could know about it makes little sense. It's like saying that we shouldn't use CCTV cameras or have guns on our homes because thieves know about them anyway. Not really that close of an analogy, but you get what I mean.

Thanks for the reminder and it's something I tell myself every time I feel obliged to trust a company I really like. You see, even if the intentions are good, human error and well, the basic capacity for humans to make mistakes, will eventually cause any company to face this dilemma (even if theoretically).


Tech is tech and there is no human-proof tech yet:) What do we do one day if thieves also know about plausible deniability passphrase?

Bold part is a good way to use a hardware wallet, I can't believe I have used it without that option before. But the most important thing here and why one shouldn't worry about shipping address leak is the fact that possesion of the hardware wallet doesn't mean one have money stored in there. Hackers and robbers need to know precisely whether their victim has any big money or not. Really, it doesn't make any sense to attack everyone who has ever bought a piece of hardware. So, just don't talk about how many bitcoins you have and you are fine.

If you bought a hardware wallet from either Ledger's or Trezor's official site, then you will also have had to give a name and address. This is what is worrying most people, as someone can now show up at your house with proof that you have a hardware wallet and commit physically force you to hand over your coins.

Also, if the email address you have given them is the same email address you have used for other crypto activities, particularly valuable accounts such as web wallets or exchange accounts which may be holding funds, then (if this hack turns out to be true) someone could try to access these accounts. An email address as well as your real name and address might be enough to convince a support team somewhere to reset your password.

Okay that is the most important thing for me, the fund security.
Otherwise it would have made an impression that cold storage is also unsafe now. Lol.

I don't remember sharing my phone number, it's only E-mail with 2FA security so I don't think anyone can misuse it besides sending spam mails.

That's a relief though if my coins are safe. Thanks for info.

Most companies will keep the personal data of their customers on file, largely for law enforcement and compliance reasons. The privacy policies of both Ledger and Trezor allow you to request to have your details erased from their databases though. I'll quote a post I made on another thread about this at the bottom of this post. I'd be very surprised if it turned out that either Ledger or Trezor were actively selling customer details though - such a thing would lose them a vast number of customers.

From what Shopify, Ledger, and Trezor are all saying, this hack appears to be fake, but there is still a certain irony to it. We spend a lot of time on here talking about how best to use hardware wallets, are they secure enough, can they be trusted, using passphrases, storing seeds, airgapped wallets, etc., etc., and a mass $5 wrench attack is still the most likely way you will lose your coins. Now's the time to think about using a passphrase for plausible deniability if you don't already.

Your email address will be on a database somewhere. Whether it is the same database that his hacker claims to have, we don't know. That's why I would always suggest using multiple different email address for different purposes, and the one you use for crypto-related activities should not be tied to your real name or address in any way.

---

Your bitcoin and other altcoins are safe. The only thing you should worry is that the personal information you surrendered to the mentioned company are at risk of being compromised by illegal dealers in the blackmarket.

Your ledger and your crypto is not correlated from the data breach but your sensitive information when your bought your cold storage does. Your coins are safe unless there is a $5 Wrench attack,

I never opened up my ledger after creating the backup for the initial set up.

So does it mean my data is still secure for my ledger ?

What I mean is, I never connected it with network till now after first set up.

Or is it like they have fetched the data from stored servers of ledgers or whatever storage location is there? Shall we afraid of our coins in the ledger ?

Even for those who contacted support? They have to submit emails when creating support tickets.

Man, just a few weeks ago one of the biggest e-commerce databases that I use was leaked and now this. Still, assuming this is real, I'm not sure how they will select their victim. What a big joke if they come to one of the addresses, got the wallet, forcing the owner to tell the password but he doesn't have any funds left.

I got my ledger through mew competition, so even if it's true, my details should be safe 

We could definitely easily say that companies keeping your information is unnecessary, but let's not forget that the government likely(though I have no sources to give) requires businesses and companies to have a database of their customer's information. This is not a black or white situation.

I doubt this case, (Shopify is a ledger and trezor seller)  communications manager at Shopify e-commerce website, says:
But the TREZOR and LEDGER steps I think are correct. The company must act seriously to investigate. Because the good name and trust can be lost with this news. If this is the fault of the reseller, there can be an evaluation for Shopify.

Source: https://decrypt.co

Okay I see and thanks for clarifying that to me. It's really concerning right now on how our personal information are getting exposed when we buy something in Shopify or other platforms that keeps our data. We could be victims of identity theft. Even if they assure that our personal data is safe and secure, we can't be complacent on that.

Privacy is something that we need to protect. It's really scary on how these hackers are finding new ways to "compromise" a platform, even if they're just rumours. As security improves, so as the hackers' brains to counter-attack.

I mean, I don't trust any companies who would keep and sell my data, especially if it's any sensitive data and/or they are supposed to aid to keep my privacy.

It is definitely not necessary for companies to keep my home address or phone number. If they tries to sell those data to third party companies, I would have second thoughts about buying from them.

You're completely missing the point here. The rumoured "leak" is not concerning the security your hardware wallet itself, but the personal information you've probably given them if you bought directly from them. What sites you've used your bitcoin doesn't matter in this case.

I don't really use PO boxes as they are small and many businesses don't want to deliver parcels to them.
But where i am, we have the choice to be delivered to nearby businesses, this can be a good option as the shipping address remains confidential to trezor/ledger  (unless you are dumb and provide them a "billing address with your real DOX).

One of the advantages is that said businesses (mainly groceries store) are open until 11pm every day. (unlike the post office that only do 9am to 4pm working days only).
I wouldn't do that for an expensive package, but for everyday low-value parcels it working quite well.


The $5 wrench attack is really hard to avoid, but every step that make it harder is a step in the right direction

I don't know why they scrub their old customer database they might want to continue with their upselling or something related to that? I mean it's ideal for us as consumers to have our data be trashed but for companies to have that information because customers ordered previously is a gem. Customers are the lifeline of the company so why scrub? Hmm.

---

It's going to be an expensive investment to run their own data centers, maybe when they get bigger as a company.

---

According to this article by Jamie Redman

https://news.bitcoin.com/hacker-attempts-to-sell-data-allegedly-tied-to-ledger-trezor-bnktothefuture-customers/

The Shopify system is not compromised, said in the article. I think that's what companies will all say if they are included in something remotely like this.


And another allegedly connected company is Keepkey. Stated as well in the article. Just like what Bttzed posted.

I haven't used my Ledger Nano S in Shopify or any e-commerce stores yet. Rumors are just "rumors". They're not confirmed yet. However, I do believe that hackers innovate no matter how hard it is to crack, especially hardware wallets.

Ledger Nano S and Trezor are some of the best, safe and secure wallets ever. If that "hacker" sells that database to the dark web, we could confirm if some certain users would see some unauthorized activity coming from their wallets themselves.

Yeah, I get that. It's still weird.

---

Welp, it's not just Ledger and Trezor. Keepkey database is also reportedly compromised.


....and other crypto exchanges

There's a high chance that this hacker is only trolling though.

To be fair, most ecommerce stores or even websites in general(even the giant ones) use third party data centers anyway(Amazon AWS/MSFT Azure/etc), hence there's almost always going to be a third party trust involved, unless they run their own data centers.

It feels kind of weird that they're selling hardware wallets that helps us protect our crypto funds from hacking is also maintaining a data base of its customers to a centralized server that's also hackable.

For those who still don't get the $5 wrench attack, this conversation might explain it better  

As they should. Time will tell.

Apparently. I'm not giving this rumour that much credibility as Shopify hasn't made a statement yet, but it doesn't automatically mean that a leak didn't happen either. They might also just still be in the "investigations" phase. Again, time will tell.

I have my doubts too. But I don't think this is something we should just totally ignore.

Doubt it is real, to be honest. It would fetch much more value if its sold elsewhere in the darkweb presumably. It's fairly useful for hackers to obtain such information; scamming through social engineering, selling to advertisers etc. I bet it could fetch much more than the asking price here. It would be better to be wary of any social engineering attempts though.

Good on Trezor for scrubbing their user info regularly, hope to see other companies do the same.

When there are statements from the official company, I think they are taking it seriously and are trying to find out if there is an actual breach of the database. Maybee after thorough investigations, the public would be informed as well. I think we will never know what happens behind the scenes if it's real or no, but the important thing is we should not interact with emails claiming ridiculous things right now.

Since their official website uses Shopify, everyone is affected who ordered from their site, right?

Ledger's(and Trezor's, KeepKey's and various other websites) customer database is rumoured to be leaked due to a Shopify exploit. Note: I'm putting a lot of emphasis on the word "rumoured" because there's also a good chance that this is fake. This is just a heads up.

Based on the screenshots, on Ledger's side, the database that's rumoured to be "leaked" include:

• names
• full addresses
• phone numbers
• emails

To see the screenshots of the apparently "leaked" database, take a look at the tweet itself: https://twitter.com/underthebreach/status/1264460979322138628


The only statements we have from Ledger and Trezor as of the moment:

Src:

• https://twitter.com/Ledger/status/1264506360735174657
• https://twitter.com/Trezor/status/1264547574377218048
• https://www.reddit.com/r/ledgerwallet/comments/gpswhu/the_ethereum_forum_hacker_is_now_selling_the/frohn7t/

In this case we can say that it's more unlikely for Trezor to be affected. One thing's for sure, don't take $5 wrench attacks lightly.


Will edit this topic when I find more updates.

EDIT 1: Alright ladies an gents, looks like we're done with this topic.


While we can all have our sighs of relief now, make this be a wake up call that it's heavily not recommended to be handing over personal information on a lot of websites. Always think twice when handing over personal information.