In a recent press release issued by Ledger, the company that manufactures the famous hardware wallet, we learn that criminals have exploited another data breach, coming from Shopify, involving another 20,000 users.
The information obtained by these agents is 93% similar to the previous data dump. However, 7% (around 20,000) of the customer records breached are new. We have directly contacted the concerned users to inform them about this.
— Ledger (@Ledger) January 13, 2021
The incident dates back to May of last year, when criminals exploited a flaw in the Shopify portal, and on that occasion, data was stolen from over 300,000 users from various portals such as Trezor, Augur and Ledger.
Unfortunately, the following month there was also another attack, this time directly against Ledger, in which about 1 million email addresses and the complete data of more than 9500 users were stolen. A few months later, the criminals also attempted a third attack against the users.
As if that wasn’t enough, it was only last month that all the data from the stolen database was published, including the private information of the users who had dealt with Ledger, i.e. those who had bought a hardware wallet to protect their crypto.
Certainly, 2020 was not the best year for Ledger, but as the company itself points out, none of these episodes jeopardizes the security of the electronic devices held by users, although it is recommended not to enter your seed in suspicious platforms and especially in Ledger Live, as it could be compromised.
Ledger in the wake of the data breach
In the meantime, Ledger has taken steps to warn new users affected by the recent discovery of the stolen data and inform them not to provide their seed to anyone and not to use it in any other platform other than the physical wallet.
In addition, Ledger is working to integrate a messaging model to access users’ funds and so we could see a 2FA-type system to improve security, so even in the case of seed loss, a second password will be needed to access funds.
As for what happened, Ledger has moved to track the data with the support of Chainalysis. In particular, they will try to trace the seeds used and the movements of the wallets, in order to identify how the criminals are using these funds.
In the case of Shopify, both the FBI and the RCMP are working with the French authorities to track down the criminals who perpetrated the Shopify attack.
Other measures that will be taken by the company will be those related to database management, so that the private names of the buyers will be deleted once the order has been processed, to avoid similar problems in the future.
In fact, even if a database of this magnitude is accessed, if methods were in place to obscure, protect and make it impossible to read the information within it, it would certainly not have been easy for criminals.
This demonstrates the carelessness with which the company has treated this data, causing concern among many users, who in some cases have suggested creating a class action suit against Ledger.
Finally, Ledger has offered a reward to all those who provide useful information to catch the criminals.
The reward is 10 BTC each, to encourage white hackers to support the case.