Bitcoin Forum

New day and new email from ledger.

I am not sure if this is some new leak, but what more can we expect from flea market company like ledger...
This time it was 'rogue' Shopify customer support agents that stole customers name and surname, details of ordered products, phone number and postal address.

What is very concerning is the part when they say they will remove 24 words with some 'technical solution'.

https://www.reddit.com/r/ledgerwallet/comments/kwhyky/ledger_security_notice/


Update from ledger:
https://www.ledger.com/blog/update-efforts-to-protect-your-data-and-prosecute-the-scammers

https://i.imgur.com/zXSIoJD.png

Does it even matter if your details have been leaked when Ledger have already leaked them? (/s)

It looks like this was an expansion of the Shopify leak that was initially revealed back in July last year, just like their own leak which turned from "9,500" users to over a quarter of a million. At this point, if you have ever bought anything from Ledger.com, you might as well consider your details compromised and take appropriate action. It's the only way to be sure of your safety, since Ledger's security apparently has more holes in it than Swiss cheese.

I'm very curious as to see what this "technical solution" is going to be. Sounds like they are adding some sort of 2FA, but if they are promising insurance then the only way they can do that is if they have some control over your funds as well. I'm also very curious as to how many users are going to trust Ledger to have some control over their funds when they have repeatedly proven themselves incapable of even keeping a simple database secure.

And I'm going to ask a simple question here, because I haven't read all the posts in the few threads about the Ledger leak:  is it safe to keep using my Nano X to store crypto on?  Right now I've got some altcoins on it that otherwise don't have a home.  I'd appreciate it if someone a lot smarter than me could advise me on that single question.

Thanks in advance.

Edit:
I get that, which is why I like hardware wallets, but there seemed to be a vibe of doubt that Ledger perhaps wasn't storing data like private keys and such.  Is that an actual concern for anyone or am I just being paranoid?

SPF: FAIL with IP 2600:1901:101:0:0:0:0:11
DKIM: 'FAIL' with domain ledger.com

For all we know this e-mail is as fake as all the other "Ledger" e-mails but on the other hand it makes zero difference to how much fucked we are. Dear client LOL

The leaks doesn't affect the security of your Ledger. Ledger should not store any information about the individual wallets that would otherwise compromise your security. Hardware wallets should not record these kinds of information anyways. The leak in question specifically impacted the privacy of the customers through the reveal of personal information.

No one really knows at this point. Considering how many times they lied (or if you want to be generous - displayed abject incompetence) about the hack I wouldn't put it past them to have some sort of feature or bug in their software that sends more information to their servers than it should.

Having said that, this would be extremely unlikely to happen with the private keys or the seed as those bits never leave the device. Well, in theory anyway.

As above, it almost certainly perfectly safe.

If this was bitcoin only and you wanted to be really paranoid, you could create your own entropy using coin flips, convert it to a seed phrase, wipe your hardware device, set it up as a new device using an airgapped computer, recover from your manually created seed phrase, use an open source tool to confirm the addresses generated are indeed derived from your manually created seed phrase, and send your bitcoin to your now airgapped hardware wallet. However, I have no idea if this is even possible with most altcoins since they don't have their own standalone wallet, or if Ledger Live would even support moving unsigned/signed transactions back and forth between devices.

Seems to have been confirmed by Ledger co-founder in this Reddit post: https://www.reddit.com/r/ledgerwallet/comments/kwhyky/ledger_security_notice/gj4dcal/

It does affect security of you and your ledger because scammers know all your information, name, address and phone number, and ledger should be blamed for poor security.
I don't know how else to say than - affected security.
Same thing could potentially happen with their 'secure element' leak or something else, because they hired bunch of amateurs and shitty partners.

The leak affected the privacy of their user. It does not directly affect the security of their devices. The post I replied to was to ask if it's secure to continue storing the funds within Ledger.

I won't discuss how they operate as a company because that wouldn't be related to their data leak. Objectively speaking, yes. The loss of privacy could to some extent lead to them being more vulnerable to spear phishing, targeted attack and stuff like that. But how would it affect the security of their devices? Can you obtain the private keys and/or the seeds from the devices with that information alone? If you could, that would be in conjunction with some forms of social engineering attack and/or $5 wrench attack (though I heavily dispute that but I don't live in the same region as most of these users).

All you need is to know exact location and place where owner of that device is living to affect security of their device.

And as I said before, who can guarantee that closed source secure element holding that private keys would not leak some data, when we know what ledger amateurs are dealing with all this.

And what exactly does it mean when they say they will remove 24 words with some 'technical solution'?

I think that all the e-mails from Ledger, legit or not, are going to my spam folder.
This approach allows me have less concerns about that issue.
Since I use that mail address for many other things I cannot discontinue it, but marking all this crap as spam was the least I can do.

I wouldn't care to read their legit mails either, so it's not a big loss...



It's "remove the 24 words as the single pillar of the security". But I don't know what they really mean, maybe add custom words, maybe encrypt, ... my guess that they'll all more "pillars"  ;D
However, was this mail actually legit or not?!

The Shopify leak involved 200 different merchants. It seems that only Ledger was affected from the crypto niche. There is no public list of other businesses. 

I am beginning to doubt that financial information, aka credit card/banking info is still safe. Hopefully this leak wont spill over to people getting charged on their credit cards or having their PayPal accounts emptied. For now that doesn't seem to be the case.

However, there are stories like these in connection to the Shopify leak:

https://community.shopify.com/c/Shopify-Discussion/Incident-Update/td-p/888971/page/2

https://community.shopify.com/c/Shopify-Discussion/Incident-Update/td-p/888971/page/3

Although there are claims of credit cards being charged, Shopify replied that making charges with cards isn't possible:

https://community.shopify.com/c/Shopify-Discussion/Incident-Update/td-p/888971/page/4

They're not removing the 24 words... they're removing the 24 words as the "the single pillar of the security of our hardware wallets".

Essentially, it sounds like they're trying to (or have already) come up with some fancy way of protecting your wallet (and/or backups/seeds) that doesn't just rely on a user writing down 24 words etc. It's difficult to say what they're thinking... possibly something similar to the "blind oracle" thing that Blockstream are using for their "Jade" wallet that requires some form of external confirmation? ???

Also, quite what they mean by "and will open the door to funds insurance for individual customers" is anyone's guess. Sounds like a way to generate ongoing revenue by "selling" insurance to users ::)

Based on the quality of Ledger Live... I'm not going to hold my breath that their "technical solution" is actually a solution to any problem that I currently have... or that it even works. ::)

You mean how many Ledger devices you own, right? Not how much crypto you own. There is no a way a thief could ascertain the latter simply from a retail database hack.

True, but we cannot guarantee that any piece of software or hardware is completely secure. Even something like Bitcoin Core, which has thousands of sets of eyes looking at it constantly, occasionally throws up some critical vulnerability which needs rapidly patched.

Agreed. I suspect that the majority of users will fall in to one of two groups with any such proposed solution:
1) Know what they are doing and therefore have no requirement to use whatever 2FA or additional protection this system will provide
2) Use this new system without really understanding it, and then flood this forum and Reddit with complaints when they are unable to recover their coins because they have lost their 2FA or whatever it is

Far better to just teach people how to properly use the industry standard than to confuse things by adding in your own unnecessary system on top.

A 13th/25th word doesn't make sense though, since Ledger devices already support passphrases. Just navigate to Settings -> Security -> Passphrase, and you can either set a temporary one which will be forgotten as soon as you unplug your Ledger, or you can set a permanently one and attached it to a second PIN. Details here: https://support.ledger.com/hc/en-us/articles/115005214529-Advanced-passphrase-security

I'm expecting either a "traditional" 2FA (which you can achieve with a Ledger device already by using Electrum if you are so inclined), or some other form of multi-sig set up where they hold one of your keys. The problem with any multi-sig set up is that it involves placing trust in Ledger to both store your key(s) securely and never have their servers go down or go out of business.

I really doubt ledger will create any good solution after all this mess and they will probably just add one more confusion layer on top, but lets wait and see, I enjoy to watch all this circus 🤡

Thanks to the recent leak, people are now starting to receive more and more voice call threats or unknown people are offering their "security services" to help them secure Ledger in well known mafia style, like we see with tech support scams.

Here is what Andreas Antonopoulos say about this issue, and he pointed out that simple changing of phone number can be a double-edged sword as scammers can still hijack and use your old number:
https://twitter.com/aantonop/status/1350062483692687362

I agree with this. Somehow this is way beyond they could manage and they go from bad to worse.
I don't know what advisors they have, if any, but the decisions they make don't help. As you said, they just confuse their customers even more.
Even myself, I thought at first that this later mail is from malicious third party. But no, they seem to de doing this by themselves... So sad...

What a fiasco!  Confirms my HATE for closed source.  My .02

How is this in any way related to open source/closed source? ???

The initial hack occurred because of a misconfigured 3rd Party API key... and the Shopify leak was because of an "evil maid"... neither of those things would have been prevented by Ledger having open source products. ???

Now they found that 750k emails from 1 million leaked emails from ledger, are also found in other breaches as reported on haveibeenpwned.com website!
They can all be matched with 730k real names, 625k phone numbers, 541k real addresses, 482k IP addresses, 20k wallet balances of BTCE, 10k passport numbers... and what is interesting for us is 10k Bitcointalk forum usernames and website activity.

I think one solution for avoiding something like this happening in future is using multiple email address with different aliases, especially when you are ordering anything from internet.

click to enlarge image:
https://i.ibb.co/9Hqm7j5/pic4.jpg (https://i.ibb.co/8gjnHVZ/pic4.jpg)
https://twitter.com/yeolddoc/status/1353139243548364805

 

Ledger company and their partners Shopify are going to be busy in court for some time because class action lawsuit is filled against them by law firm Roche Freedman on April 6 in San Francisco.
The same law firm is known from before when they had class actions against Binance exchange and Tron, and we are finally going to see who is really responsible for Ledger database leaks.
No comment from Ledger so far, and you can read all the lawsuit details in this 43 pages long scribd document:
https://www.scribd.com/document/502073705/Ledger-Shopify-Complaint

As stated by The Block (https://www.theblockcrypto.com/post/100860/ledger-shopify-class-action-lawsuit-filed) in its post:

That's exactly what I'm thinking.

The prosecution will have to prove that Ledger was aware of the extent and size of the breach from the very beginning beyond a reasonable doubt. Unless someone testifies and confirms this or there are documents that can prove that Ledger knew the size of the breach, I think they might get away with it and claim we simply didn't know. When we found out, we informed the general public. It's certainly going to be an interesting case to follow. 

Yeah... unfortunately, there will probably also be the requirement to prove "willful negligence" on the part of Ledger and Shopify with regards to their security practices and whether the hack was due to them being negligent, or just the "hackers" being clever/abusing 0day vulnerabilities etc... will be interesting to see how those "Liability" disclaimers in the Terms of Service etc hold up in court.

I'm also a little confused as I've seen somewhat conflicting information that this "hack" was actually an inside job conducted by one or more Shopify employees who abused their position to access/copy the data and then sell it on the black market.

Which seems somewhat at odds with the reports of the "bug bounty" that some guy found a "misconfigured" API key that enabled external access etc.

I always thought that the Spotify breach was a separate incident to what happened to Ledger. Maybe because the public was first made aware that Ledger's database got hacked/leeked, and only after that we discover that it was due to Shopify's personnel that the database was stolen in the first place (allegedly).

In this report, (https://www.ledger.com/blog/update-efforts-to-protect-your-data-and-prosecute-the-scammers) Ledger claims they were made aware that there was a breech through a third-party API key in July 2020. Back then, they were still suspecting that complete details of only 9.500 customers were leeked + 1 million emails. They went public and informed people what happened, or more precisely, what they though had happened.

The article goes on to mention that it wasn't until December 2020 that they found out that the breech was much bigger. Shopify informed them that records of Ledger users were among 200 other merchants that were affected by those rogues Shopify employees.

If Ledger manages to prove they took appropriate measures between July-December 2020 based on the data they had and that they weren't lying, the repercussions might not be that severe. They will still have to answer how it was possible that they didn't discover the malicious API key that exported the data and why their customer's personal information wasn't encrypted or deleted. They might claim that the responsibility to store client information was Shopify's duty, not Ledger's. The fact they had a bug bounty might be seen as a mitigating measure, and that they showed an interest in strengthening their systems. We will have to see whether or not that holds up in court.     

This was my understanding as well. I believe that there was a significant overlap between the two databases which were stolen - Shopify's one and Ledger's own internal one - but that they were not identical and they were accessed by two different individual at different times.

Correct me if I'm wrong, but if we are saying that there were two separate hacks of two different databases, then doesn't that confirm that Ledger were in fact also storing client information? The fact that they said things like "We immediately patched the vulnerability" at the time means that at least one of the hacks was on their own servers and not that of a third party.

We could be wrong thinking there were 2 different leeks. Both Ledger and Shopify mention that data was stolen using an API key.

I think this is the timeline of the entire incident:

1. April - June: Members of Shopify support team steal data of over 200 merchants.
2. July 14: Someone informs Ledger Donjon security team that they have suffered a breach.
3. Ledger claims they "immediately fixed the data breach (https://www.ledger.com/blog/update-efforts-to-protect-your-data-and-prosecute-the-scammers)". I am not sure what this means and what was fixed.
4. After that, they conducted an investigation and discovered that the breach happened through an API key.
5. July 29: Ledger informs the community of the breach and sends a report to law enforcement.
6. September: Shopify releases a statement  (https://community.shopify.com/c/Shopify-Discussion/Incident-Update/td-p/888971) that mentions that data of over 200 merchants were stolen.       
7. December: Spotify informs Ledger that among the records that were stolen by their employees, there were also private records of Ledger users. 

If this is the correct timeline, how did the person who informed Ledger in the bug bounty know about the breach? I remember reading that no data was public at that time (again allegedly). Did the person inspect the faulty API key?

Ledger says:
 
https://www.ledger.com/blog/update-efforts-to-protect-your-data-and-prosecute-the-scammers

These sentences make it sound like Ledger fixed the breach first, then they launched an investigation. It was during the investigation that they discovered the API key. Again, how did they fix the breach before the investigation if the investigation lead to the discovery of the API key?

Ahhhh ok... yeah, an article I was reading a couple of days ago regarding the lawsuit seemed to be implying that the 2 were the same thing... it may have just been the article was poorly written or that I completely misunderstood what they were saying (most likely the later! ;) :P ::) )

On reading this page again - https://www.ledger.com/blog/update-efforts-to-protect-your-data-and-prosecute-the-scammers - it does sound to me like these are two separate incidents.

They wouldn't use the phrase "previous attack" if there had only been one breach, and as I said above, the fact that the databases are not identical means there were two different attacks.

Further down the page, they also highlight their response to the "data breach discovered on July 14th", and separately highlight their response to the "Shopify data breach". It seems to be coincidence that the Ledger hack and the Shopify hack occurred roughly around the same time, explaining why the databases were similar but not identical, but they were indeed two entirely separate incidents.

Did they ever release any details about their new project which was going to replace 12/24 word seed phrases or something along those lines?

The only thing I know is that one of their co-founders confirmed on reddit that users will have a way to insure their cryptocurrencies against theft. It's not going to be based on any software. It will be some sort of hardware solution.

https://www.reddit.com/r/ledgerwallet/comments/kwhyky/ledger_security_notice/

"Hardware based social recovery solution" sounds awful. There are two potential ways I am reading this. Both are bad.

First is that they will make your hardware wallet reveal your seed phrase if you can prove to them you are the real owner. This would require KYC, it would require each hardware wallet to have a unique identifier tied to your real identity, and it would mean you can have your seed phrase stolen via social engineering.

The other is that they will recover your seed phrase for you if you prove your identity and prove ownership of your hardware device. This has all the same issues as above in addition to the huge risk of Ledger storing a copy of your seed phrase (and as we've seen, Ledger databases aren't exactly secure).

Perhaps they have come up with something truly groundbreaking, but a "social recovery solution" sounds like it will create more problems than it solves and be overly complex compared to what we currently have. I mean, how difficult is it to just write down a handful of words and keep them safe?

This social recovery solution will probably be one more ledger attempt to invent warm water again, but they will not release anything if they lose this class action lawsuit.

What is concerning is the fact that you can't find almost any discussion or information about upcoming lawsuit on their reddit page, and I don't know if moderators are deleting posts or not,
but literally every single crypto news reported about this and people want blood.
Ledger Twitter account is also silent about this but I see they have time to tweet about NFT  ::)

https://twitter.com/Ledger/status/1381608198126366731

I think those lawsuits and court proceedings will take a few years before a decision is made or we might even see a settlement between the counterparties.  If there isn't a settlement, don't forget that both sides usually appeal, then that leads to new proceedings, etc., etc.

The fact they aren't talking about it on their social media channels is understandable from their point of view. No one would want to advertise how big of a schmuck he is. Try creating a new discussion on their reddit page (https://www.reddit.com/r/ledgerwallet/) to see whether or not they will remove it.   

Bro get real please, this is not Balkan or Wild West and courts actually work like they should most of the time :D


I didn't say they should start any topics themselves, but it's strange that nobody is talking about that, maybe because they banned everyone on reddit who complained before.
You can get banned even if you ask ledger co-founder why is he spending so much time as reddit moderator. True story.

I know it's not the Wild Balkans but it's still a lengthy process that can take several years. I am not saying it will, but there is that possibility. Ledger is not the only party being sued for something.

Doing a search for "how long does a lawsuit take" delivers results mostly for personal injury claims (for some reason) and those take years as well.
The first result says:

https://macgillivraylaw.com/how-long-does-a-personal-injury-claim-or-lawsuit-take

A different source shows this:
Average Case, 2-5 years
Personal Injury -2-3 years
Medical Malpractice, 2-3 years
Patent Issues, 1-5 years
https://glofin.com/how-long-will-lawsuit-take/

I have seen people received fake ledger devices to steal treir coins, some of them got personal threats, but don't be surprised if you start to receive PulseChain and HexCoin paper promo materials in your mailbox,
in case your home address was leaked in one of previous ledger leaks that includes name, address, email and phone number.
They are now using this database with over 270k addresses that is publicly available and they are sending this crap to everyone they want  :P

https://i.imgur.com/mfouzNX.png