Bitcoin Forum

Other => Beginners & Help => Topic started by: DdmrDdmr on July 29, 2020, 07:28:18 AM



Title: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: DdmrDdmr on July 29, 2020, 07:28:18 AM
I normally do not like posting anything that is little more than a copy/paste + link, but this case justifies me doing so:

https://www.ledger.com/addressing-the-july-2020-e-commerce-and-marketing-data-breach

Quote

Our ecommerce and marketing database leaked, we immediately fixed the breach. Contact and order details were involved. Your funds are safe.
 

What happened?

On the 14th of July 2020, a computer researcher that participated in our bug bounty program notified us of a potential data breach on the Ledger website. We immediately fixed the breach after receiving the researcher’s report and undertook an internal and external investigation of the situation. While conducting the investigation, we discovered an unauthorized third party had gained access to customer information.  
 

What personal information was involved?

Contact and order details were involved. This is mostly the email address of our customers. Further to investigating the situation we have also been able to establish that, for a subset of customers were also exposed: first and last name, postal address, phone number and ordered products. Due to the scope of this breach and our commitment to our customers, we have decided to inform all of our customers about this situation.

Payment information, credentials (passwords) or crypto funds are not impacted by this data breach. This data breach has no link nor impact on our hardware wallets and the Ledger Live application. Your crypto assets are safe and are not in peril.
 

What we have done, what we are doing

We have taken immediate action on 14th of July 2020, to resolve the data breach.

On the 17th of July, we notified the CNIL -- the French Data Protection Authority -- about this data breach and are continuing to work with authorities throughout the legal process.

We are continuously monitoring for evidence of our customers’ contact details being disclosed on the internet, and have found none thus far. We also performed an internal penetration test.

We are currently in the process of filing a complaint before the French public prosecutor regarding the unauthorized access and we will support law enforcement investigation.

We are extremely regretful for this incident. We take privacy very seriously, and we sincerely apologize for the inconvenience this matter may cause you.
 

What you can do

We recommend you exercise caution -- always be mindful of phishing attempts by malicious scammers.

As a reminder, Ledger will never ask you for the 24 words of your recovery phrase. If you receive an email that looks like it came from Ledger asking for your 24 words, you should definitely consider it a phishing attempt.

We suggest you visit Ledger Academy security section to educate yourself on general security principles and more precisely our article about phishing attacks.

Pascal Gauthier, Ledger CEO

If the above is completely true, and facts and scope of the breach are as is, be very wary over the comming days of personalized phising attempts.

It really despise the fact that addresses were leaked. That is unforgivable, and although I do not expect a criminal campaign preceded by a mass sell of 5$ wrenches at warehouses, for a company that works on security, encrypting the DB and storing the keys separately is bloody paramount.


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: jseverson on July 29, 2020, 07:49:18 AM
If the above is completely true, and facts and scope of the breach are as is, be very wary over the comming days of personalized phising attempts.

More than that, I would even be wary of being robbed. There are people out there who know you're probably holding a respectable number of coins, what to look for, and where they may find it. If you're one of the customers whose data got leaked, it probably wouldn't hurt to bolster your physical security.

Supply chain attacks have basically been the only real downside in hardware wallet discussions, and I feel like this is another big one that will repeatedly come up in the future. I'm pretty happy I make my own cold wallet.


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: Coyster on July 29, 2020, 08:02:44 AM
More than that, I would even be wary of being robbed. There are people out there who know you're probably holding a respectable number of coins, what to look for, and where they may find it. If you're one of the customers whose data got leaked, it probably wouldn't hurt to bolster your physical security.
jseverson you do have a point there, but this scammers are more of cyber criminals than armed robbers, so a situation of one of those users whose information just got leaked being robbed is imo improbable; that being said, it doesn't mean it cannot happen, but the scammers will try every online means, phishing attempts, impersonations, blackmailing etc, and if it ever gets to a robbery incident, i'll expect the user to have hundreds of thousands (or millions even) in bitcoin, for the scammers to take the risk of being caught now coming in person.


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: btcltcdigger on July 29, 2020, 09:41:34 AM
If the above is completely true, and facts and scope of the breach are as is, be very wary over the comming days of personalized phising attempts.

More than that, I would even be wary of being robbed. There are people out there who know you're probably holding a respectable number of coins, what to look for, and where they may find it. If you're one of the customers whose data got leaked, it probably wouldn't hurt to bolster your physical security.

Supply chain attacks have basically been the only real downside in hardware wallet discussions, and I feel like this is another big one that will repeatedly come up in the future. I'm pretty happy I make my own cold wallet.

Yeah, if they can tie wallets with ledgers, and lesgers with addresses, then some people might have something to be worried about.
Time to lock up ledgers and move them to a safe place i guess

In any case, i'm sure everyone who owns a ledger can expect alot of emails in the following weeks


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: Maus0728 on July 29, 2020, 10:35:55 AM
Is this somehow related to Ledger(and Trezor) hardware wallet owners: heads up | EDIT: (debunked) (https://bitcointalk.org/index.php?topic=5250862.msg54495618#msg54495618)?

And yeah $5 wrench attack is a great risk for people who are also living on their household..probably an average bitcoiner. 2 consecutive info breach on Ledger is something to be afraid of LOL. It is also a good idea to shop on Ledger using another location for delivery and a dummy name since I don't think they give importance whether it is true or not.


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: HeRetiK on July 29, 2020, 10:53:31 AM
More than that, I would even be wary of being robbed. There are people out there who know you're probably holding a respectable number of coins, what to look for, and where they may find it. If you're one of the customers whose data got leaked, it probably wouldn't hurt to bolster your physical security.
jseverson you do have a point there, but this scammers are more of cyber criminals than armed robbers, so a situation of one of those users whose information just got leaked being robbed is imo improbable; that being said, it doesn't mean it cannot happen, but the scammers will try every online means, phishing attempts, impersonations, blackmailing etc, and if it ever gets to a robbery incident, i'll expect the user to have hundreds of thousands (or millions even) in bitcoin, for the scammers to take the risk of being caught now coming in person.

Problem being, these datasets usually get sold on the black market. So while the original attackers might not do physical crime, they very well might sell the data to criminals who do. If you live in a country that's relatively safe to begin with this probably won't affect you, but if you live in an area prone to organized crime you now might have a big target on your back.


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: Erumo on July 29, 2020, 11:02:32 AM
They got owned for 4 days, and only now they announce about it. Not smart. Why not announce it on the day they got exploited and warn users  from giving "24 words of your recovery phrase" to someone.

Not a single word about compensation to 9500 customers. This will strike hard on their reputation. I expect used ledgers appear on the market, as well as discounts in ledger shop.


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: 20kevin20 on July 29, 2020, 11:37:34 AM
I wonder if older customers have been affected as well or just recent ones. IIRC, they once said older customers are deleted from their database for security purposes. The fact that it's the second time something like this happens is worrying, to say the least.

I'd say a wrench attack isn't very likely for most customers, but is something they should consider - especially if bigger or more popular names are involved.


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: DdmrDdmr on July 29, 2020, 12:29:36 PM
This information release explains the incident a wee bit further:
 https://www.ledger.com/addressing-the-july-2020-e-commerce-and-marketing-data-breach

If we take it as is:

- The data breach was performed through an unauthorized use of an API Key to access both the Marketing and e-commerce data.

- They figure that 1M email addresses may have been retrieved through the API (I figure they keep logs of API usage, and should be able to be certain of this fact).


- Personal stolen data was delimited to that of 9500 customers (they do not provide a criteria here to know who may be affected by this part of the breach).

- All affected customers have received an email with information on this breach. Therefore, if you’ve received an email such as the one in the OP, you are amongs those breached. There is no information on whether the 9.500 customers that have had their personal data breached, have or have not been explicitly notified of this fact.


The positive side (so as to say) is that the personal data breach is delimited to a very small portion of the database. Emails are going to be used for phising campaigns for sure, so be wary of any email you receive related to ledger: check the sender properly, and contrast with the official Ledger website. Do not panic and rush to providing mnemonics at any time on any site, and do not move to downloading anything related from an external link (i.e. alleged Ledger Live updates).


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: jseverson on July 30, 2020, 02:36:02 AM
jseverson you do have a point there, but this scammers are more of cyber criminals than armed robbers

To add to what @HeRetiK has already said, hackers are more likely to sell your data rather than use it. Trezor's blog actually covers this:

In most cases, the hacker will not use the data, but instead will sell them to a third party, often called a “broker.” By selling the stolen information, they’re reducing the risk they’re facing compared to the risk of using the data by themselves.

Actually utilizing the hacked data is usually a big operation, and the hackers themselves may not have enough resources to fully take advantage of it. That being said, your data could easily end up with a random person/group within your vicinity, and we have no idea what kind of action they would take. I agree that it's far more likely for them to be used in a social engineering attack, but physical assaults relating to crypto aren't unheard of (and it might even be safe to assume that they're uncommon because attackers aren't aware who HODLs; this dataset can provide them with a full list), so I'd say it's important to highlight this risk.


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: squatter on July 30, 2020, 02:59:23 AM
There is no information on whether the 9.500 customers that have had their personal data breached, have or have not been explicitly notified of this fact.

They specified this on Twitter (https://twitter.com/Ledger/status/1288452973811703810):

Quote
If you are part of the approximately 9500 customers whose detailed personal information - name surname, postal address or phone number - were accessed by the unauthorized third party you have been notified 30 minutes ago.

I guess you can breathe easy if you haven't received an email specifying that you were part of the smaller breach.

This is all very disappointing considering what Ledger is in the business of. This is yet another reminder -- don't reuse email addresses, and use P.O. boxes for sensitive purchases.


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: jademaxsuy on July 30, 2020, 04:21:31 AM
Problem being, these datasets usually get sold on the black market. So while the original attackers might not do physical crime, they very well might sell the data to criminals who do. If you live in a country that's relatively safe to begin with this probably won't affect you, but if you live in an area prone to organized crime you now might have a big target on your back.
Yes pretty sure Identities could be use in scamming. There are many individuals being directed as scammers even not really connected to the scam instead it was only his identity being used to prove that they are legit and exposed the victims Identity. This is a very serious problem in the future. It is because identities can be use and tag to a scam activities. This is even common to facebook where many users are copying pictures and identity of others then selling. The hard part is that identity is not the true identity of the scammer.


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: cryptoaddictchie on July 30, 2020, 04:54:02 AM
Ive received too the security notice from Ledger, but checking in on their social media how to know if I were part of those. I think my information were safe. At first I thought the mailed was a spam email but checking the social media and it did sync in that they were breached.


Quote
If you are part of the approximately 9500 customers whose detailed personal information - name surname, postal address or phone number - were accessed by the unauthorized third party you have been notified 30 minutes ago.

I guess you can breathe easy if you haven't received an email specifying that you were part of the smaller breach.


Can anyone from ledger users confirm here if ever you got emailed from them about the qoute aboved? I think they should aplogize to those 9500 users who were affected and give them compensation and assurance just in anycase their profile has been caught doing any illegal activity as scammer can used their details.


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: Yogee on July 30, 2020, 04:54:15 AM
I wonder if older customers have been affected as well or just recent ones. IIRC, they once said older customers are deleted from their database for security purposes. The fact that it's the second time something like this happens is worrying, to say the least.
We can't say for sure since they can store customer data for up to 10 years.
Quote
If you purchased a product or a service from us, we may retain some transactional data attached to your Contact Details to comply with our legal, tax or accounting obligations for a maximum 10 years period set forth by French applicable laws, as well as to allow us to manage our rights (for example to assert our claims in Courts) during applicable French statutes of limitations.


Those 9,500 customers affected are probably fuming upon learning their personal data got leaked. I'm not victim blaming or anything but I wonder if they all read what's stated in the Ledger's Privacy Policy?
Quote
Who may we share your information with?

Ledger, its employees and contractors may use some of your personal data strictly as part of their duties and in accordance with this Privacy Policy.

We may also transmit some of your data to third parties such as payment services, infrastructure, logistics, and other services providers.

We enter into contractual arrangements with these third parties to ensure that personal data they could have to process for the provision of their tasks is adequately secured and that your privacy is protected. These providers have privacy policies which you may refer to for information about how they process your information and how to exercise your data subjects’ rights as provided under Applicable Laws. All personal data processed by these third parties shall solely be used to perform the services they provide to us and for the purposes set out in this Privacy Policy.

In certain circumstances and only where required by Applicable Laws, we may disclose some of your data to competent administrative or judicial authorities or any other authorized third party.

- https://shop.ledger.com/pages/privacy-policy

They can request for the erasure of their personal data but the risk was already there when they bought their wallet. I don't think Ledger will ever change their privacy policy but this is something potential customers should be aware of too.



Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: Yogee on July 30, 2020, 04:57:18 AM
Ive received too the security notice from Ledger, but checking in on their social media how to know if I were part of those. I think my information were safe. At first I thought the mailed was a spam email but checking the social media and it did sync in that they were breached.
If you received an official email from them, then you are one of the 9,500 customers affected by the hack.

Please check the sender to be sure if it's actually from Ledger.


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: squatter on July 30, 2020, 05:06:56 AM
Can anyone from ledger users confirm here if ever you got emailed from them about the qoute aboved? I think they should aplogize to those 9500 users who were affected and give them compensation and assurance just in anycase their profile has been caught doing any illegal activity as scammer can used their details.

Ledger doesn't appear to have enough customer information for identity theft. The main concern is phishing given that that 1 million email addresses were compromised. There may be a theoretical chance of $5 wrench attacks, but since there is no association between Ledger customers and actual cryptocurrency holdings -- no way to target big holders -- the chances seem remote.


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: DdmrDdmr on July 30, 2020, 07:24:47 AM
<...>
Ok, thanks. Good to know that those 9.500 customers involved in the personal data breach were explicitly informed on which specific data was involved. This was done through a second email, distinct from the one reflected in the OP, which was sent to the 1M breached emails.

I’ve skimmed through the whole twitter conversation, and have found one reference from a person who allegedly bought his Ledger device 3 years ago, and received the above described second email. If the case is true, the pattern (which is not revealed) does not circumscribe to those that made a recent purchase (as some people speculated there).


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: mk4 on July 30, 2020, 08:28:27 AM
Ladies and gentlemen, if you have have been a customer of Ledger and you got their products delivered in your home, now might be the perfect time for you to learn about $5 wrench attacks.


  • https://cryptosec.info/wrench-attack/
  • https://blog.keys.casa/how-to-protect-your-bitcoin-from-5-wrench-attacks/


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: Coyster on July 30, 2020, 08:46:06 AM
Could it have been the work of "hackers" from government supported agencies which have more effective tools  than $5 wrenches?
No, the chances it was the government who did this, hacking into the ledger system and stealing users email addresses is almost nil in my opinion, some governments obviously may not support crypto, but they also don't sell people's email addresses in the black market or try to scam through phshing mails, the hack surely is the work of scammers who have always targeted crypto (bitcoin) users ever since its value skyrocketed.
Ladies and gentlemen, if you have have been a customer of Ledger and you got their products delivered in your home, now might be the perfect time for you to learn about $5 wrench attacks.
I'm so sure ledger users will be getting extremely paranoid atm, i also want to add that should the hackers sell this data to people who can actually do physical damage, it will be carried out many months from now, not at this time the issue is still 'hot topic', so those 'breached' users should up their guard, not just for the meantime, but for many months to come


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: mk4 on July 30, 2020, 09:23:16 AM
I'm so sure ledger users will be getting extremely paranoid atm, i also want to add that should the hackers sell this data to people who can actually do physical damage, it will be carried out many months from now, not at this time the issue is still 'hot topic', so those 'breached' users should up their guard, not just for the meantime, but for many months to come

Sure it's really likely that the database wouldn't be given to some criminals(or publicly leaked) today or tomorrow, but yea this is something people shouldn't set aside for the meantime and deal with it in the future instead; which I assume people are doing.

Anyway, this shouldn't solely be a $5 wrench issue. The data being publicly available also means the government is going to know which people actually poses bitcoin and cryptocurrencies; which is also definitely a bad thing.


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: erikoy on July 30, 2020, 02:04:40 PM

Sure it's really likely that the database wouldn't be given to some criminals(or publicly leaked) today or tomorrow, but yea this is something people shouldn't set aside for the meantime and deal with it in the future instead; which I assume people are doing.

Anyway, this shouldn't solely be a $5 wrench issue. The data being publicly available also means the government is going to know which people actually poses bitcoin and cryptocurrencies; which is also definitely a bad thing.
I think government could not do harm to their community wether holding crypto or not. But I guess the real problem is all about misuse of the identity being taken from the said event. It is likely a big problem to those individuals especially if their identity will be use for criminal activities and get drag into it by the misuse of the criminals. I have obeserve that government does not really rely based on stories when they caught a suspect. They rely on the evidences and identity being exposed of the crime.


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: mk4 on July 30, 2020, 04:11:13 PM
I think government could not do harm to their community wether holding crypto or not.

You'd be surprised what a certain country's government would do just to get what they want. Probably safe for now since most countries are pretty chill with bitcoin and cryptocurrencies in general, but wait til some of them enforces strict rules.


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: 20kevin20 on July 31, 2020, 07:45:47 PM
A random shower thought I just had: would e-mailing these companies and kindly asking them to erase all the data they stored about you be a good idea to consider for future orders/accounts we make? I think it does increase the chances of not being part of future data leaks/hacks, or it at least decreases the amount of information one could steal.. especially for orders from companies such as Ledger, from where you rarely place orders at all.


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: DdmrDdmr on July 31, 2020, 08:22:06 PM
<…>
An email demanding such course of action would likely not be taken seriously (meaning by that, executed correctly) unless the corporation has a properly tested inner protocol already established for such cases, and the jurisdiction they are under covers the event.

For example GDPR allows you to demand your personal data to be deleted, but there are many things to consider in the equation. A purchase order can be considered as a financial contract, and financial contracts need to be stored for a certain amount of years, superseding GDPR. Additionally, backups are another potentially exploitable weak point (and that is one hell of a job to delete from a backup in general).

Even so, if one is concerned, and the case here raises awareness and concerns, one is always entitled to try and see what kind of response they get, alongside the guarantees that the deletion actually takes place (if at all).


Title: Re: Ledger Security Notice-Ecommerce and Marketing data have been exposed-Funds Ok
Post by: cryptoaddictchie on August 01, 2020, 04:15:24 AM
If you received an official email from them, then you are one of the 9,500 customers affected by the hack.
Hello maybe yes, but there is a confirmation message which DmdrDmdr saw on twitter. There is unique email that will be sent a second one with the specific leaked on each user. Ive just recently bought my ledger so Ive expect my email used could be included ( hope not) but I followed up a message to them confirming and just waiting their response.

Ok, thanks. Good to know that those 9.500 customers involved in the personal data breach were explicitly informed on which specific data was involved. This was done through a second email, distinct from the one reflected in the OP

no way to target big holders -- the chances seem remote.
This is reassuring. Not really a big holder, emailed leaked is really frustrating especially if its your personal email that was used in purchasing the unit.