1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Ledger - data breach

Discussion in 'Crypto Currency & Mining' started by dim_pwn, Jul 29, 2020.

  1. dim_pwn

    Gangster

    Joined: Mar 16, 2009

    Posts: 336

    Location: Portsmouth

    Email has gone out today to those effected. In short, API key accessed name/address/tel/email of customers. :(

    On the 14th of July 2020, a researcher participating in our bounty program made us aware of a potential data breach on the Ledger website. We immediately fixed this breach after receiving the researcher’s report and underwent an internal investigation. A week after patching the breach, we discovered It had been further exploited on the 25th of June 2020, by an unauthorized third party who accessed our e-commerce and marketing database – used to send order confirmations and promotional emails – consisting mostly of email addresses, but with a subset including also contact and order details such as first and last name, postal address, email address and phone number. Your payment information and crypto funds are safe.

    To be as transparent as possible, we want to explain what happened. An unauthorized third party had access to a portion of our e-commerce and marketing database through an API Key. The API key has been deactivated and is no longer accessible.


    What personal information was involved?

    Contact and order details were involved. This is mostly the email address of our customers, approximately 1M addresses. Further to investigating the situation we have also been able to establish that, for a subset of 9500 customers were also exposed, such as first and last name, postal address, phone number or ordered products. Due to the scope of this breach and our commitment to our customers, we have decided to inform all of our customers about this situation.

    Regarding your ecommerce data, no payment information, no credentials (passwords), were concerned by this data breach. It solely affected our customers’ contact details.

    This data breach has no link and no impact whatsoever with our hardware wallets nor Ledger Live security and your crypto assets, which are safe and have never been in peril.You are the only one in control and able to access this information.

    https://www.ledger.com/addressing-the-july-2020-e-commerce-and-marketing-data-breach
     
  2. SlyReaper

    Soldato

    Joined: Apr 26, 2008

    Posts: 6,472

    Location: Bristol, Old Blighty

    So criminals now have home addresses of people who they know own cryptocurrency. That's more than a little scary to think about.
     
  3. illuz

    Mobster

    Joined: Apr 27, 2012

    Posts: 3,321

    During the start of a boom too... Not good if you have a nice stack (and if you own a ledger, you must have a nice chunk). Uh oh.
     
  4. DarrenM343

    Soldato

    Joined: Oct 19, 2008

    Posts: 5,047

    Yeah, it's rather poor to be frank. You expect much better security given what they're offering.
    I don't think anyone who owns one should be worried about break-ins but phishing emails and possibly phone calls, yes.
     
  5. SlyReaper

    Soldato

    Joined: Apr 26, 2008

    Posts: 6,472

    Location: Bristol, Old Blighty

    Quite. Nobody spends £50 to secure £20 worth of Bitcoin. And the best encryption in the world won't stand up to a $5 wrench.
     
  6. DarrenM343

    Soldato

    Joined: Oct 19, 2008

    Posts: 5,047

    A $5 wrench won't do much. I mean it'll destroy the original device but I believe the idea with these is that you restore all the accounts from one long passphrase. So, after a $5 wrench attack you buy a new device and voila, all your old accounts(wallets) are restored onto it. This passphrase is the risky part. A hacker just needs to buy one device and if they have 200 passphrases, their one device becomes the accounts(wallets) of 200 hacked devices, although they'd have to ransack one at a time. This phrase would have to be obtained via a phishing attempt, ie, "We're writing from Ledger. For a limited time only we're doubling the wallet size of all crypto on your Ledger device. Send us your passphrase now to make your claim".
     
  7. SlyReaper

    Soldato

    Joined: Apr 26, 2008

    Posts: 6,472

    Location: Bristol, Old Blighty

    That's not what a $5 wrench attack is. https://xkcd.com/538/
     
  8. illuz

    Mobster

    Joined: Apr 27, 2012

    Posts: 3,321

    :D
     
  9. Bigpops

    Mobster

    Joined: Oct 18, 2002

    Posts: 4,237

    Location: Sheffield, UK

    There are ways to protect against a $5 wrench. For a start, the pin you enter into the ledger actually contributes to the seed phrase. So, <your seed words> + 1234 yields a completely unrelated set of wallets to <your seed words> + 12345

    This means you can set up dummy accounts, and leave token amounts of crypto them, or useless air dropped ETH tokens in those addresses to make it look like you're complying when you're not.

    That's in addition to taking practical steps to where you store the device and seed words. Splitting up the seed words across sites, storing the device itself off site in say a safety deposit box.

    I'll be honest though, I'm not very happy that a company selling what's supposed to be an incredible security product is storing customer information that can be tied to a physical location in any way that is accessible over the web.
     
  10. DarrenM343

    Soldato

    Joined: Oct 19, 2008

    Posts: 5,047

    I'm clueless :)
     
  11. illuz

    Mobster

    Joined: Apr 27, 2012

    Posts: 3,321

    I'm just kidding mate hah