Bitcoin Forum

First of all, I have to say that I have been doubting where to open this post, whether in this section or in the speculation section. Feel free to report it to be moved or just tell me if you think it will be better placed in another section.

I've been thinking that after the Ledger fuck-up they must have seen their sales go down a lot. It's a question of reputation. Whoever buys a hardware wallet, what they want is privacy and security. Losing "approximately 272,000 detailed information such as postal address, last name, first name and telephone number" (https://www.ledger.com/message-ledgers-ceo-data-leak)  has made many people not to trust Ledger any more. It's not just that some mobsters may come to visit you at home, it's also that that information is available to your government as well.

So, I'm wondering how deep this will affect Ledger's business, if they will end up bankrupt or not. For sure they are going to lose a lot of sales.

I am undecided. As far as I'm concerned, let them go to hell. On the other hand I think the Ledger-Trezor competition is good but if Ledger goes bankrupt another company may take its place.

What do you think about it?

If KeepKey is still surviving, you bet Ledger will still exist for years to come.

I feel most of these hacks and leaks usually dies down after awhile and it would get mentioned briefly in the future but the noise would probably not amount to too much bad publicity (bad publicity is still publicity) . It didn't directly affect the security of their product and they can just sweep it under the rug saying that it's their fault and better security measures blah blah..

I feel like Ledger has a pretty decent profit margin for their devices and that the lack of alternatives with their aggressive marketing campaign is just going to push more users to Ledger. Perhaps a little down in sales for awhile but it'll probably go back to normal after this blows over.

Probably zero impact.
Whoever is worried about privacy would never give their true identity to ledger nano.

Additionally, this leak has zero impact over security. There have been some phising related to that data leak, but if the user is a victim of a phising email and he gave his seed to criminals he would lose those coins anyway.

Whoever.wants to buy bitcoin MUST get informed about its security

Most of those who are not on the 272k list may not understand how important this is and not care too much since they are not physically affected.
So yes, their reputation was affected, but not that much. Clearly not heavily enough to go bankrupt.

Probably this year's Christmas sales will be better than usual for Trezor, but I don't expect much else happen.

It's not that simple. Hiding your identity when you want to have something shipped to you is not easy and may be borderline illegal in some contexts, e.g. if you try to rent a mailbox under a false name. And when you have your physical address leaked it's not longer about phishing but about someone showing up at your doorstep to ask for your bitcoins.

Is that going to cost them sales? I hope so. But I think only a major lawsuit could bankrupt them.

No one to whom all the information has been made public should never again buy anything from Ledger, because at least as far as I'm concerned, trust is completely lost. A company that should be an example to others has put itself in a situation where we can freely place it in the category of complete amateurs. Maybe some new kids who won't be aware of all this will buy their products, but from all these 272 000, I believe most will not buy anything in the future.

---

Phishing is in this case the smallest problem, the problem is that the physical addresses of a huge number of customers are known, which allows anyone to target someone under the assumption that they have a certain value in crypto. It's not something you just sweep under the rug, people are scared and worry about the safety of themselves and their families - you just need to read all those comments on Ledger Reddit&Twitter.

We've already commented in another thread that we still don't know what all the hackers got their hands on, and whether it's possible to link all that data to users' coin addresses via Ledger Live - which would really be like drawing a target on each user's forehead with the exact amounts of what they possess.

---

Given the number of affected users, I have no doubt that this will happen (I mean the lawsuit), since it is a company based in one of the largest EU member states, and it is a slightly more serious matter than what they are trying to show by sending rather pointless messages via e-mails.

If you really want to stay fully anonymous, you shouldn't order a hardware wallet at all.

It's not like hardware wallets are necessary to store bitcoins securely. They are "just" a tool for convenient secure storage.

If you want to hide your identity as good as possible and there is no option to anonymously get something delivered to you, don't order.
I am not saying that the leak is ok or that the user are at fault, don't get me wrong. But no one really has to give away personal data to store BTC securely.

That's true. With a stick with Tails on it you can easily set up a cold storage and you are just fine (even safer than a HW actually) and also remain anonymous.

However, some may be associating HW users with wealthy users (which is imho incorrect, but still possible) and can cause physical problems to some Bitcoiners. Whose fault it is? It's the fault of the buyer or the fault of the company that has left the customers database unprotected?

I see your point, but Keepkey isn't that popular, didn't get hacked, and probably will go out of business eventually (and probably sooner rather than later, too).  Ledger, on the other hand, is one of the top two hardware wallets on the market and one that I happen to like very much--so I'm hoping they don't suffer a hit too big to recover from.

Then again, they have a brand name that's popular enough in the world of cryptocurrency such that I wouldn't doubt that some other company would likely buy them out rather than just letting them go bankrupt and out of business.  Anything could happen, though.  Anyone who's followed business news over the last couple of decades has seen many popular companies decline and fall and wither away, and that certainly could happen to Ledger.

That's definitely true, but they're big sellers nonetheless.  Some people don't entirely care about their anonymity, even if that's one of bitcoin/crypto's biggest selling points.

Not everyone is an uber geek. I bought a Ledger so that could pass my bitcoins to a family member if something happens to me. Sure I could leave them a 10-page document on how to set up an air-gapped Linux box but that's like open heart surgery for them. They would likely ask someone for help and would get robbed.

Hindsight is awesome and the lesson has been learned. I don't think blaming people for not being nerdy enough for Bitcoin is going to help here.

Good point. But again, not the first time a large scale database leak with very sensitive information has occured. Let's see how this pans out in the future.
I think that's a sweeping statement. They're designed to be better than any implementations that a normal user can handle whilst being hassle free to use. A database leak cannot negate the possible benefits a hardware wallet can have.
No one flaunts their hardware wallet or at least I've never seen someone doing that. It's fair to say Ledger didn't invite someone to leak their database but they didn't take the proper security precautions. I would always make purchases online with the presumption that whatever I provide will become public and that has led me to take some measures to mitigate the impacts of any database leaks.

To make it clear, I don't support Ledger as well but they are a hardware wallet maker who is able to do their job decently well.

Any properly configured and used cold storage is safer than any HW in use. That's not about Ledger.
On the other hand a good HW is a good enough mix between security and convenience.


Yup. I am also one of the customers happy enough with their product.


Very nice, I'm happy for you (genuinely). Clearly there aren't many that do this and I think that you are missing or minimizing something: we are not talking about customers that bought clothes, for example. Since their products can be associated with money/wealth, they should have had better safety measures than the usual shops...

If people are able to forget about Google+ or Facebook, Amazon data leaks I believe they can forget Ledger's case as well. Yeah, you can say, it's not the same thing, not the same business at all. No matter, in fact, the result is the same.
Moreover, personal data is something you can even legitimately buy from companies, with much more information about what has been leaked from Ledger, yet I see nobody shouting even after they receive scam calls for insurances lol.

From the finance industry, whatever it is Citigroup, Capital One, Countrywide Financial Corp, Equifax, or even the European Central Bank is there a bankruptcy among those?

FYI 75% of the companies worldwide have already lost data. Most often due to human error.

Concerning Ledger, it's not even something that will damage the security of their products and that's what matters the most. Yes it was a big mistake, yet your coins aren't at risk

I would agree that cold storage is safe enough for normal use. I can't agree that cold storage are safer than HW wallets.

Certain hardware wallets are designed to specifically reduce the signature to make sidechannel attacks impractical, especially when normal cold storage are not specifically designed for those. Inclusion of secure chip allows the device to be bricked and the seeds to be irretrievable when a certain number of tries for the PIN has been registered. Rigorous audits done by researchers to try to breach the priv keys. Plausible deniability that some hardware wallet includes helps to minimize the losses from a $5 wrench attack, etc.

It wouldn't be fair to say that they aren't at least as secure as cold storage wallet, despite the additional steps taken to try to mitigate the possible attack vectors. Not a fan of ColdCard's PR but I like ColdCard as a HW wallet and it's arguably designed to mimic a cold storage wallet while adding extra security features.

---

I think any further discussions will lead to it being offtopic. I think this is better discussed as a separate topic by itself.

I Just asked a Friend to buy it . We bought a few together, a group if friends. ;)
I know that a privacy paranoid person  would find some solution.

Any data you put in the web, no matter which company received it, you can consider that it will become public one day.

I think you are wrong, and as ETFbitcoin has already written you cannot compare some other databases that have become publicly available at some point, with the Ledger database being hacked and containing over 270 000 of their customer data where each of them becomes a potential target not only for phishing but also for physical attacks. How are you going to tell someone that he is safe after all, when in some countries people are killed for less than $100?

I personally don't care whether Ledger goes bankrupt or not, I hope that a class action lawsuit will be filed and that as many people as possible will take part in it. In the meantime, I will definitely look for an alternative solution for the new HW - which I advise everyone else - Ledger is no longer a company to be trusted.

Alert...Alert... ledger shillers detected on this page... defending this shit company...Alert   :D

I don't know if and when ledger will go bankrupt, but they showed how amateurish village liars working from garage they are, and I am sure they are going to receive many lawsuits to deal with, so they will not have time to work on adding more shitcoins....  :)

Where, where? Where? I can't see them! ;D


I don't care if Ledger goes bankrupt after this, I haven't bought their wallet (nor any other, yet). It's just interesting for me to read their statements and see how they're trying to get out of this fiasco. Maybe they'll open their source code after that, so we'll finally get something good out of all this. One thing is for sure, I'm certainly not going to buy my first hardware wallet online (although it is recommended to buy it directly from the manufacturer).

Additionally,  ledger customers may hold significant amount of bitcoins, potentially good target. While Facebook users are not

Have a read through some of the breaches listed here: https://en.wikipedia.org/wiki/Data_breach

There are plenty of big name companies that have leaked all sorts of information (like full personal details and/or banking details etc) that are still operating... and a lot of those data breaches made headline news in mainstream media etc.

This breach is a big deal in the "cryptosphere"... but I haven't seen mention of it anywhere outside of cryptocurrency related websites.


I don't know if this incident will cause Ledger to go bankrupt... consider if each of those 272,000 affected only paid ~$70 for a single Nano S... that's ~$19million... I don't see the manufacturing costs of the devices, wages/salaries nor the R&D costs being anywhere near that... And that's not even counting the customers who aren't included in the breach. :-\

Their reputation has taken a, deservedly, massive hit... they'll need to work hard to regain that trust.

@bitmover

As I said in another topic in the French forum, the risk is not so significant as people may think. You can buy an HW wallet as a gift to someone from your friends and family, as a reward for a contest. You may have sold your coins when the market crashed. You may have changed your personal address since
There are so many other things to consider.

Someone would take the risk to come to your home without knowing if you still live there, or if you still hold cryptos, etc? That doesn't make sense or the person is very very hungry.


@ETFbitcoin
Selling user's data to advertising companies is different than having your server hacked and a list published to everybody. When Google+ had an exploit it wasn't selling user data, it was exposing them as a result of a security breach on their servers. The same goes to Amazon and Facebook.

No matter, even if we take the examples I posted earlier from the finance industry, it has to do with the money 'sphere' and information about people.


I can take a privacy-centric product as another example if you want. How many VPNs, supposed no-log, have suffered a data leak

The European central bank, the US Department of Homeland Security or the IRS data leaks are a lot more important than Ledger, with more possible damages

I don't disagree with you at all that other privacy focused products and services have also had data leaked or hacked, and I don't disagree with you at all that there have been other larger and more damaging data leaks.

However, none of that makes what has happened with Ledger OK. It is not sufficient to say "Eh, worse things have happened", and then move on. The fact that Ledger was targeted is not what concerns me. The two things that do concern me are firstly, Ledger were storing full details of a quarter of a million customers in an unencrypted database which was connected to the internet. There are just so many things wrong with that. Why did they have all these unnecessary details? Why were they all in a single database? Why wasn't it encrypted? Why wasn't it secured? Why was it accessible via the internet? Secondly, Ledger either lied about the scale of the data breach, or they were completely unaware of the scale of the data breach until the file went public, and neither of those instill any confidence in me whatsoever. They have made a series of significant security errors followed by a series of significant public relation errors regarding this data leak.

Since I ordered under a pseudonym and drop-off location none of my real details even appear on that database, so the fallout for this literally doesn't affect me at all, but I have still stopped using my Ledger products because of it.

I didn't say it's ok, if you re-read you will see  I was saying worse things have happened (with some examples) yet nobody is shouting. The important point was nobody is shouting anymore after somedays and forget about it. The same thing will happen with Ledger


For accounting or customer service or other things. According to the law, it is mandatory to keep invoices with customers' information and all traces of each and every transaction. It's all the businesses like that, it's just a matter of accounting using a ledger


It was, but apparently, not enough, and a (group of) hacker has found a breach in the system. It doesn't mean the system wasn't secured at all


They didn't lie and had no reason to do so knowing that with the GDPR the company might be in trouble if Ledger had knowingly lied to hide the size of the incident. Not to mention the bad press it would have received.
It's just that Ledger couldn't evaluate accurately the importance of the incident, we can't blame them for that, they did what they could and even hired an outside company to audit.

Their business model is partly based on trust Ledger has no benefit in losing it, on the contrary.


It was a strategic decision if they didn't communicate as the mass thinks they should. No matter the industry, rarely you will see a company communicating 'immediately'