Bitcoin Forum

This is an experiment to see if hardware wallet manufacturers and their 3rd-party newsletter partners will leak customer’s email data. It will be a long-term experiment that began a few days ago. I want to see how safe my email information is with some of the most popular hardware wallet vendors. We all remember the data leaks of Ledger and Trezor. Still, there are also suspicions that popular brands could be sharing or selling data to their 3rd-party partners.

To check that, I have done the following things:

•   I have created brand-new email addresses for each hardware wallet manufacturer.
•   Each email was used to subscribe to that brand’s newsletter (if there is one) and to contact the support team with a random question.
•   I will keep checking the accounts in the following months to see if any spam or 3rd-party emails were received.

Since the email accounts have not and will not be used for anything else, any spam, promotions, or offers I get can only result from the company’s misuse of my data. The goal is to see how safe it is to provide hardware wallet developers with sensitive information and how much of it (if any) will find its way to other places.

The following hardware wallet brands are being tested:

•   BitBox
•   Blockstream Jade
•   ColdCard
•   Foundation
•   KeepKey
•   Keystone
•   Ledger
•   OneKey
•   SafePal
•   Satochip
•   Trezor

I will try to update this thread with the latest information after 1, 3, and 6 months of waiting.

After that, the experiment ends. What do you think? Will I get any spam emails, and who is the likely culprit causing it? Many email providers delete messages classified as spam that end up in spam folders after 10 or 30 days, for example, so I will try to log in to the various places to check if there is anything new there.

Do you remember what happened to bitmex a few years ago (2019)? Their customer relations manager resigned (I think) by sending an email to everyone in the mailing list with their newsletter in a way they could all see each others' email addresses: https://blog.bitmex.com/email-privacy-issue-what-is-happening-and-how-can-we-help/

If their mailing providers are hacked, I wouldn't be surprised at this point though - it seems to be a target for attackers (especially customer support).

I don't remember that particular case, but it can serve as proof how one individual or a small group of people can seriously affect a company's reputation. When something like that happens, no one will remember the incident as the time when <insert the manager's name here> leaked thousands of email addresses amongst other BitMex users. It will forever be remembered as the case when BitMex messed up and caused a severe data leak that affected most of their userbase.

Now that you've laid your plans on the table, I'm no longer sure it could lead to accurate results ^{[since some of them have representatives on this forum, it would've been better not to disclose it until a month or a few has passed]}.

Cough... Led... Cough... ger :P

I am already using separate email address for each new signup I make in last few years, not just cryptocurrency related, and it makes a huge difference.
This is just email subscription so it's not so serious like when you actually purchase their devices and send them your payment with name and shipping address.
Some of them already leaked information like Ledger and Trezor partially, but I never received any phishing emails on Trezor email.
My bet is on ledger to get hacked again, if they don't collapse before like their partners FTX.

Nah, I don't see this test bothering them in any way to make them change their habits, improve their security, or try to find the subscribers who signed up in the last days and kick them out of their mailing lists and their internal databases to try to influence the results of this experiment. 

True, but it's still hackable data that is sitting on some servers somewhere, potentially with third parties despite what happened to Shopify and MailChimp.

I don't think I will get anything out of the ordinary from any company besides the usual newsletter updates.

Part of the issue is going to be WHERE you created the emails and what their anti-spam settings are AND what their email harvesting settings are and how long an address you used. I am really aggressive with my settings you get 5 chances to send to dave@------.com per IP in 1 hour, go over that you are banned for 30 days. With a lot of the big players you can try 1000s of times before getting slowed (not banned) for 6 hours. Multiply that my the hundreds of thousands of compromised servers out there trying to bulk send and unless you are using a really long address you will be getting spam in under a year.

There have been discussions at tech conferences over the years about how bad the big players in the industry are with this.

Not knowing who you used, if you went with one of the big players of free email:
If you don't get spam, then you can be confident that the manufacturers did not leak / sell the info.
If you do get spam, it's a tough thing to prove, unless you do it again with another provider that is more aggressive with blocking.

If you went with another provider, you can ignore everything I just said ;-)

-Dave

Interesting feedback. I hadn't thought about that nor do I know much about it. I used 7 different email providers. All of them are free (obviously), so I did spread it around randomly. That could somewhat affect the results, but like you said, if I get spam, I can always try with a different email provider. But If I don't get spam the second time, that can also be for different reasons. Maybe there was a leak and they fixed it in the meantime, or the second provider just has better anti-spam settings that prevented the spam from reaching me, right? When it comes to the length of the email addresses, without revealing too much, they are all 9 characters+ (not counting the @ and domain name). The shortest one is 9 characters.

Are you using a self-hosted service or do the usual big players allow users to configure such settings manually? 

Both popular and less popular email service providers were used in the experiment. I can reveal all the names at the end.

As I was reading through this thread I was questioning the "where" you set you email accounts up as being a factor!  For actual use on my end I use tutanota for my hardware wallet contact info.  I have never seen an email from 3rd party yet.  In fairness those are really secure against ads.

I applaud this test by you.  Looking forward to reading the results.

It's self hosted smartermail, they offer a 1 domain, 10 user free edition: https://www.smartertools.com/smartermail/business-email-server

I don't know where you are and what internet provider you use but, if they offer static IP allow you to open port 25 for incoming and outgoing mail you can run one yourself.

And actually I made a mistake, have it set to 5 bad address in 5 minutes before I block you for a month.

None of the big players do, sine lets face it as the saying goes if you don't pay for it you are the product. GMail, Yahoo, etc all rely on showing you ads based on your email. So getting as much to you as possible is in their best interest.

-Dave

I like Tutanota as well. It might seem a bit confusing to newbies in the beginning since they encrypt the emails you send and you have to password-protect them. I haven't checked to see if that feature can be turned off in the settings. Anyways, if you are sending an email to someone via Tutanota, you also need a way to inform the other party about the decryption password, otherwise they won't be able to open and read the message.

Let's just say that Tutanota may or may not be part of this experiment. I leave it to everyone's imagination.  ;D

Update #1:

More than 1 month has passed since this experiment begun. I have checked the email addresses several times during this period and the last inspection was just a few minutes ago. Besides the standard newsletters, there hasn't been one spam message or a 3rd-party email sent to any of the email addresses used for this experiment.

Congratulations to the hardware wallet manufacturers, the first stage has been passed. But a little time has passed and I think that by the end of the experiment everything can change and we will find out which company has a bad conscience. You can listen to their assurances that user data is safe, but it’s better to check it in the way Pmalek came up with.

I hope that the representatives of these manufactories don't follow your topic and don't deliberately hold back their 3rd-party from mailing. :)

I'm glad there haven't been any spam messages, but perhaps you should go a step further and make fake purchases ^{[those emails are usually collected in the very first part (out of two or three) of making the purchase]} to see if the results would still remain the same after a month...

---

Any plans to expand the list to less popular brands that have been popping out in recent months?

No, the email newsletters are coming in just fine. It's certainly not something they would consider important enough to try to manipulate.

I could extend the experiment to that as well. I thought the order had to completed and paid for before the data got submitted and stored in their servers, but you are right, they might collect those even before the customers make the payments. Thanks for the tip.

No, not for now. As you said yourself, they aren't that popular and don't hold a significant market share. I would like to keep the focus on the manufacturers that matter the most.

Can you check the headers of the emails and see where newsletters are coming in from.
Although it was about something else, a lot of places do not do their own mass emails and send the work out, when you do you wind up with things like this:

Wonder if this is related or not: https://www.cointracker.io/blog/sendgrid-data-breach

Locking the front door and rolling down the security gate when you leave the store is all well and good, but did you check the window in the bathroom to make sure it's locked?
If they are not sending themselves then it may actually be worse then selling your data since at least someplace they will have some sort of an idea of who they sold it to.

-Dave

I will check that as well. I am sure some manufacturers have outsourced this task of sending newsletters to a marketing company and don't do the email sending themselves. I initially didn't consider differentiating between a leak that happened with a mass marketing agency that works with 100s of different companies and a leak that occurred from the servers of one particular hardware wallet manufacturer.

A breach is a breach, but in reality there is a difference. Getting your hands on the data of 100s of different big and small companies with millions of customers is worth more than just one hardware wallet brand with 100-200k of customers.         

That's not enough, you should check back 5 years from now. If they leak private data, it's not very likely to happen every few months.

Set a forward to one address to easily check them?

I will try to remember that unless the suffered brain damage from the imminent nuclear or biological war isn't as severe as I think they could be and I end up forgetting.

That's a smart suggestion, but I don't know how reliable that is and if all emails will be forwarded including spam. I have never played around with email forwarding. I have used 6 different email clients, so there is also that.   

AFAIK, some providers allow you to label, auto-filter, and make a folder for e-mails coming from a specific domain. Based on my experience, Proton is one of them. Some reports claim that their filter is not the best though, so that's that. I'm sure other providers have more or less the same thing, so you might want to check them out. Most of them provide this feature for free, so there's no need to pay. CMIIW.

Have you considered doing this experiment with another member? So, using a shared e-mail for example. I don't know how complicated it would be if privacy issues is getting involved though. It is unfortunate but I agree with Loyce that an experiment like this needs a long time before you can see any result.

That doesn't help me when it comes to spam emails. It could be useful for labelling the domains that send the official newsletters, but I can't possibly know where the spam could originate from and make a label for that. 

No, not really. What difference would it make to the results if two or three people were involved in the experiment and shared the email addresses? Or maybe it's a thing of trust? If two people said there were no spam messages or there were spam messages, it's more believable than if just one person claims it.

I just checked this and wanted to reply back.

These hardware wallet manufacturers send the emails themselves:

- BitBox (Shift Crypto)
- Blockstream
- Coldcard (Coinkite)
- Foundation Devices
- KeepKey (ShapeShift)*
- Keystone*
- Ledger*
- Satochip*
- Trezor

These hardware wallet manufacturers send the emails through a 3rd-party service:

- OneKey (Zendesk)*
- SafePal (Zendesk)*

* No newsletters, only emails received from support.

On a different note. @n0nce I think you will be pleased to know that the last email I received from Foundation a few days ago also contains a link to your Bitcointalk review of the device. ;)

hi pmalek, I'll try to give you some feedback, I've had a Safepal for more than two years now, and so far never received an email from safepal for promotions or even from third-party services that could lead to a data leak, the only notifications i get from safepal come from their discord server. I hope it can help you in your experiment, and I will continue to follow this topic as I find it very interesting

Wow, that's amazing! So they did read it. I guess there was no reply like last time; probably 'nothing to add'. :P

Just checked my dedicated BTC newsletter email address (maybe general recommendation for this thread: separation of concerns (https://en.wikipedia.org/wiki/Separation_of_concerns) can be applied to email, as well).

That's probably because Safepal doesn't send a weekly/monthly newsletter like some other hardware wallet companies. If you take a look at my previous reply just above your post, you will see a list I made that also mentions which brands have newsletters and which don't. Safepal is among those that doesn't. At least I didn't find a link to subscribe to a newsletter back when the experiment started.   

sorry for the reply after a long time, i didn't see that you replied to my comment, i never got to see if safepal also offers a newsletter service. actually i refuse all newsletters regardless and therefore i ignore the subscription step to newsletters 99.9% of the time. Anyway, do you have any news about your experiment? You haven't updated this thread in a while

I mentioned in the OP I would post updates after 1, 3, and 6 months. The 1-month update was posted on 16 December 2022. So, we are now about 2 months into the testing. Everything is calm and nothing out of the ordinary is happening thus far. I will perform another check today or tomorrow in search of spam and unwanted content.

Update #2:

It's now been more than 3 months since the experiment with hardware wallet manufacturers began. I checked all emails just now and there is nothing negative to report. Besides the updates from the companies and the usual notifications that some email providers send, there is no spam anywhere.

Honestly, you don't need to give them any legitimate email. However, depending on how you pay for it they could have more sensitive details about you. Although, I'd like to think if you trust them in manufacturing a hardware wallet, you'd trust them with your data. Obviously, open source wallets are definitely better in that regard as it limits the trust element somewhat.

Having said that, just because a company doesn't sell your data today, doesn't mean they won't start in the future. Especially, if they plan on not manufacturing the hardware wallets anymore, and decide to move along. Although, I appreciate the effort. I've done similar experiments for companies in the past, and it's actually quite surprising to learn that a lot of companies sell your data, and its easy to prove with a unique email address.

I am certain that selling or sharing sensitive data for whatever reason is a common thing among big companies. But a leak like the ones we saw from Ledger or some third-party services that deal with hardware wallet manufacturers can also cause problems. I remain positive that nothing bad will happen though.

I started this thread back in November 2022 by creating new email addresses and contacting hardware wallet manufacturers to see if any of them would leak any of my fake data. Sadly, Trezor has become the infamous winner in this category. I received a phishing email yesterday following the hack of their email provider. 

https://www.talkimg.com/images/2024/01/25/kF7sq.jpeg