Reports have appeared that databases of the largest hardware wallets in circulation such as Trezor and Ledger have been put on sale by criminals.
Both of which obtained from a @Shopify exploit.
(suggesting there are many more underground leaks).
— Under the Breach (@underthebreach) May 24, 2020
By looking in detail at the data for sale, it turns out that a known vulnerability in Shopify has been exploited that has allowed the recovery of all user information, such as emails, passwords, phone numbers and more.
The complete list of the various databases is frightening and involves a total of over 300,000 users:
It should be noted that criminals claim to have the complete database also of BnkToTheFuture, a famous investment platform, hence it’s possible that some important names have also ended up in this database, ready for sale on the Dark Web.
We’re talking about sensitive data with which users could be harmed considerably.
Unfortunately, the security of these platforms has been compromised and there is not much that can be done except immediately change all passwords, especially on sites and portals where the same credentials have been used.
In response Ledger reported that their team is investigating the incident and that for the moment the data they have compared does not match their databases. Unfortunately, however, it is still too early to draw conclusions.
Trezor also confirms that they are investigating the incident and are taking steps to delete the data collected previously.