Ledger: data breach has been confirmed
Ledger: data breach has been confirmed
Security

Ledger: data breach has been confirmed

By Marco Cavicchioli - 29 Jul 2020

Chevron down
Listen this article
download

Ledger has officially confirmed that they have suffered a data breach on June 25th, 2020 due to a hacker attack

The discovery was only made on July 14th, thanks to a researcher who participated in the French company’s bounty program. 

As soon as the researchers’ report about a potential data breach was received, an internal investigation was launched to correct the breach, and it was discovered that it had been exploited on June 25th by an unauthorized third party who managed to gain access to their e-commerce and marketing database

This database is used by the company to send order confirmations and promotional emails, and consists primarily of email addresses. 

In some cases, contact and order details such as first and last name, postal address, and telephone number are also stored in it. 

However, the company informs that payment information and funds are safe.

Ledger data breach: what happened

The hacker had access to this database via an API key, which has now been deactivated and is no longer usable.

In total, about 1 million email addresses were accessed, as well as additional data from 9,500 customers. 

The hacker did not have access to any login credentials and no passwords. 

Moreover, the data breach only concerns this specific database, and has nothing to do with the company’s hardware wallets, or Ledger Live and crypto assets, to which the hacker never had access. 

Finally, on July 17th, the company notified the CNIL, the French data protection authority that oversees the application of the law on privacy and the retention of personal data, and submitted a formal complaint to the authorities to facilitate their investigation.

For the time being, there are no indications that the database has been put on sale on the Internet

The company also points out that the possession of the wallet seed (the 24 words) is exclusive to users, and that Ledger will never ask anyone for it. In other words, whoever does so is likely to be a scammer, even if they might improperly appear to be from the same company. 

The CEO of Ledger, Pascal Gauthier, also sent a communication to users with which he confirmed the attack and added: 

“We are extremely regretful for this incident. We take privacy very seriously, and we sincerely apologize for the inconvenience this matter may cause you”. 

 

Marco Cavicchioli
Marco Cavicchioli

Class 1975, Marco teaches web-technologies and is an online writer specializing in cryptocurrencies. He founded ilBitcoin.news, and his YouTube channel has more than 25 thousand subscribers.

We use cookies to make sure you can have the best experience on our site. If you continue to use this site we will assume that you are happy with it.