User data collected from the database of Ledger’s ecommerce site in June 2020, with the so-called Ledger data breach, have been made public on RaidForums.
The confirmation came directly from Ledger’s official Twitter profile, which states:
“Today we were alerted to the dump of the contents of a Ledger customer database on Raidforum. We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020”.
Today we were alerted to the dump of the contents of a Ledger customer database on Raidforum. We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020.
— Ledger (@Ledger) December 20, 2020
The company had already publicly admitted to the data theft some time ago, specifying that it concerned only the ecommerce site, and not the wallets.
It also claims today that it has done everything it can in the aftermath of the attack to make Ledger’s systems stronger, such as hiring a new Chief Information Security Officer (CISO), strengthening the systems and thoroughly reviewing the policy regarding data.
They also claim to have run attack tests and forensic analysis performed by outside security firms to find any additional vulnerabilities on their e-commerce systems.
They have also posted a page on their site with descriptions of phishing attacks so that users can avoid them and report any others.
Ledger also reminds users never to share with anyone the 24 words of the wallet recovery phrase (the so-called seed), even with those pretending to be a representative of the company itself, because Ledger will never ask anyone for this data. Furthermore, Ledger never contacts its users directly via text messages or phone calls, so whoever asks for the seed does not and cannot do so in the name of the company.
The Data Breach suffered by Ledger
In fact, the attack suffered in June does not concern at all the wallets or the funds stored in them, but only the information about the users stored in the database of the ecommerce site of the company, where there is no trace of seeds or private keys necessary to take possession of the funds stored in the wallets.
Therefore the users’ wallets were not compromised by this attack.
The data published on RaidForums only concerns the email addresses, physical addresses and phone numbers of Ledger hardware wallet buyers, which is why the company urges not to share the wallet seed with anyone, even if you receive messages or phone calls apparently coming from Ledger.
In fact, if you receive a request to send the seed seemingly coming from Ledger, it is definitely an attempt to steal it.