Bitcoin Forum

E-Mail from Ledger: noreply@supportledger.com


With a Link in the E-Mail.

But nothing on the website https://www.ledger.com
And support uses this e-mail: support@ledger.zendesk.com

It's a scam. Ledger CTO (/u/btchip) confirmed it on reddit:

https://old.reddit.com/r/ledgerwallet/comments/dn389a/received_email_security_vulnerability_ledger_nano/f57fhf6/

https://old.reddit.com/r/ledgerwallet/comments/dn3ef1/just_got_this_email_and_having_a_hard_time/f57io22/

Not like the last line isn't a dead giveaway anyway.

You did correct. Check official website before doing anything
Personally, I never plug in my hardware wallet, just when I need to do transactions (few times a year).
Never plug it just to install something, you don't need. Your coins are safer away from the computer

The degree of success of this type of fraud depends on the extent of users' anxiety.
people behave irrationally when deciding in a hasty, so the warning is always strongly worded and recommends fast downloading.
Besides, the user does not verify the official website but follows the link sent to him.

Always check out decentralize sites such as forums, the official site can be hacked.

Could an admin maybe merge this thread and its posts with this one? https://bitcointalk.org/index.php?topic=5196022.0
I just think that all the posts of those two threads should be in one place as they are discussing the same issue.

I wonder how you and/or anyone received that email? I'm a subscriber of ledger and never received such kind of email. Most probably your/their email was used on some cloud minings, bounty campaigns, ico, etc. and was sold to these scammers, that's why people keep receiving emails from scammers.

I also didn't received this email. You and me subscribe emails from Ledger, so it probably means that they received email of OP and some other people from somewhere else. Internet is full of offers to buy databases of emails from ICO's, bounties or hacked websites. Also, it's possible that OP posted his email somewhere in public.

i did not receive the message in the inbox of the account i used to communicate with ledger. just in a "spam-account".

He used the email in connection with a bounty or airdrop most probably. Just like big_daddy in a different thread.

All that data is posted freely in the google sheets for bounty campaigns so it is easy for scammers to compile it in a database and do what they want with them.

Yup
That’s true
I checked my address here https://haveibeenpwned.com/
And it’s not good :(

I have to make a new private email...
Shit.

You should absolutely be using different email addresses for different things. As well as helping to prevent this kind of thing from happening, it also increases your security as an attacker gaining access to one email account can't try to reset passwords on every online account you own, and it also increases your privacy by not linking your crypto activities to the rest of your details.

Have one email for work/university/school, have one for fiat finances like online banking, bills, credit cards, online shopping, have one for personal things like friends, social media, and have one for financial crypto sites such as exchanges. For everything else, particularly ICOs or bounty campaigns, make a completely new throwaway address or use one of the many temporary email address generators to sign up.

For your main email addresses, you should also be looking to use a privacy respecting provider. Protonmail is widely recommended, but you can find other good providers here: https://www.privacytools.io/providers/email/

Tnx for the link and for the suggestion
I will consider your advice and take an action asap

Best regards

Just be careful when choosing email addresses as recovery email addresses on each email account so that one compromised account doesn't result in other accounts getting hacked.

also try to use 2FA on any important emails accounts. not a text message to a phone number that can be taken over, something OTP based like google 2fa (or its open source equivalents).

for fun, try to break into your main emails accounts on a fresh computer (ie one thats never logged into that email account before) by clicking "forgot password" link and seeing how far you get. you may be surprised.

I didn't get the e-mail either, but now that I think about it I don't know if I ever gave them my primary e-mail address or not.  How would scammers get access to Ledger's database of e-mail addresses anyway?  Did they get hacked, did Ledger sell them?  Just thinking out loud there.

I'll keep protonmail in mind--I'd never heard of them before.  But boy, I hate using multiple e-mail addresses--I have a couple of different ones, but I don't even use e-mail much anymore so it's a pain in the ass to keep checking several of them.  Fortunately spam filters are so much better than they used to be in the early days of the internet.  I always hated getting adverts for sex toys and Viagra and the like, not to mention all the scam attempts.

The Pharmacist, there is another thread with same topic and it was concluded that there was no hacking on Ledger's email database. The person who received the email in question says the following :


I think Ledger is too serious company to allow itself to sell its databases like some others (Facebook), and that they make decent money from the sales of their devices. However, all that is needed is a corrupt or perhaps careless employee, because most hacking shows that people are the weakest link when it comes to security.

Ledger is, from my poin of view and experince, a great crypto company

Coinbase (? - probably them, IIRC) had a long guide somewhere instructing users how they can setup their gmail account to make it practically impossible for anyone* ever to recover access should a stranger try to hijack someone's account or should the original owner forget the password. Smaller or lesser known email providers might be more susceptible to social engineering attacks. Same goes for registrars and hosting providers if someone's using an email with their own domain name.

*realistically speaking, google may change their policies, their employee(s) can go rogue, etc.

im confused here.  So they want you to download something but isn't the nano ledger x and s not hackable?

It's an old warning about an old phishing email that some users received. It attempted to get the user to download something and I believe input their 24 word seed mnemonic.

I'm not actually aware of anyone who fell for this phishing attempt (at least I didn't see anyone posting about having used the "Ledger SE Checker" and then losing all their coins :P)

Phishing and hacking are two different things. Your device wouldnt get hacked. The tool wants you to enter your seed words and send them to the hacker. It has been said many times before that the seed should never be entered into a software. It is only meant to be looked at on the hardware wallet.

Please stop bumping old topic with stupid questions, don't you know how to read? How can you be confused by something that is explained in a way that a child of 10 years can understand? Maybe you should stick to traditional banking, though I believe you have a problem with that as well, because you are not adopting the information you are getting. I have a feeling that at some point you will do something stupid and lose everything you have in crypto...

---

There is warning about this on Reddit some 6 months old, and when it started I remember few users who were naive enough to share their seed with hackers. One is lost 600 ZEC (some $16k at that time), other $30k worth of BTC...