Ledger has officially confirmed that they have suffered a data breach on June 25th, 2020 due to a hacker attack.
The discovery was only made on July 14th, thanks to a researcher who participated in the French company’s bounty program.
As soon as the researchers’ report about a potential data breach was received, an internal investigation was launched to correct the breach, and it was discovered that it had been exploited on June 25th by an unauthorized third party who managed to gain access to their e-commerce and marketing database.
This database is used by the company to send order confirmations and promotional emails, and consists primarily of email addresses.
In some cases, contact and order details such as first and last name, postal address, and telephone number are also stored in it.
However, the company informs that payment information and funds are safe.
Ledger data breach: what happened
The hacker had access to this database via an API key, which has now been deactivated and is no longer usable.
In total, about 1 million email addresses were accessed, as well as additional data from 9,500 customers.
The hacker did not have access to any login credentials and no passwords.
Moreover, the data breach only concerns this specific database, and has nothing to do with the company’s hardware wallets, or Ledger Live and crypto assets, to which the hacker never had access.
Finally, on July 17th, the company notified the CNIL, the French data protection authority that oversees the application of the law on privacy and the retention of personal data, and submitted a formal complaint to the authorities to facilitate their investigation.
For the time being, there are no indications that the database has been put on sale on the Internet.
The company also points out that the possession of the wallet seed (the 24 words) is exclusive to users, and that Ledger will never ask anyone for it. In other words, whoever does so is likely to be a scammer, even if they might improperly appear to be from the same company.
The CEO of Ledger, Pascal Gauthier, also sent a communication to users with which he confirmed the attack and added:
“We are extremely regretful for this incident. We take privacy very seriously, and we sincerely apologize for the inconvenience this matter may cause you”.