Fake Security Vulnerability: Ledger Nano X and Ledger Nano S?

[vlom]

E-Mail from Ledger: noreply@supportledger.com

IMPORTANT: Ledger Nano S and Ledger Nano X SECURE RNG CHIP CRITICAL VULNERABILITY
Inside Ledger hardware wallet, we use the Secure Element chip to generate and store the private keys for your crypto assets. Unfortunately, some chips, a limited number, were found to be defective by the external company commissioned by Ledger for the production. The problem identified concerns the lack of a correct source of entropy for use by the random number generator may lead to the generation of predictable sequences of numbers and therefore of private keys by malicious users.
Ledger is actively working on the problem to replace all defective devices. Please check now if your device is defective with the Ledger SE tool.

We apologize for the inconvenience.

This mail was sent to you because your Ledger device could be faulty.
Please download the Ledger SE Cecker tool below and check right now!

With a Link in the E-Mail.

But nothing on the website https://www.ledger.com
And support uses this e-mail: support@ledger.zendesk.com

[1715063597]

1715063597

[1715063597]

1715063597

[1715063597]

1715063597

[malevolent]

It's a scam. Ledger CTO (/u/btchip) confirmed it on reddit:

https://old.reddit.com/r/ledgerwallet/comments/dn389a/received_email_security_vulnerability_ledger_nano/f57fhf6/

https://old.reddit.com/r/ledgerwallet/comments/dn3ef1/just_got_this_email_and_having_a_hard_time/f57io22/

Not like the last line isn't a dead giveaway anyway.

[bitmover]

You did correct. Check official website before doing anything
Personally, I never plug in my hardware wallet, just when I need to do transactions (few times a year).
Never plug it just to install something, you don't need. Your coins are safer away from the computer

[hugeblack]

The degree of success of this type of fraud depends on the extent of users' anxiety.
people behave irrationally when deciding in a hasty, so the warning is always strongly worded and recommends fast downloading.
Besides, the user does not verify the official website but follows the link sent to him.

Always check out decentralize sites such as forums, the official site can be hacked.

[Pmalek]

Could an admin maybe merge this thread and its posts with this one? https://bitcointalk.org/index.php?topic=5196022.0
I just think that all the posts of those two threads should be in one place as they are discussing the same issue.

[bL4nkcode]

I wonder how you and/or anyone received that email? I'm a subscriber of ledger and never received such kind of email. Most probably your/their email was used on some cloud minings, bounty campaigns, ico, etc. and was sold to these scammers, that's why people keep receiving emails from scammers.

[LTU_btc]

I wonder how you and/or anyone received that email? I'm a subscriber of ledger and never received such kind of email. Most probably your/their email was used on some cloud minings, bounty campaigns, ico, etc. and was sold to these scammers, that's why people keep receiving emails from scammers.

I also didn't received this email. You and me subscribe emails from Ledger, so it probably means that they received email of OP and some other people from somewhere else. Internet is full of offers to buy databases of emails from ICO's, bounties or hacked websites. Also, it's possible that OP posted his email somewhere in public.

[vlom]

i did not receive the message in the inbox of the account i used to communicate with ledger. just in a "spam-account".

[Pmalek]

I wonder how you and/or anyone received that email?

He used the email in connection with a bounty or airdrop most probably. Just like big_daddy in a different thread.

Yeah, I was using this mail in some bounties and airdrops years ago, not a lot of them, but one wrong is enough, usually I use a telegram bot (TempMail) that is generating an unique email box for bounties and airdrops

All that data is posted freely in the google sheets for bounty campaigns so it is easy for scammers to compile it in a database and do what they want with them.

[big_daddy]

I wonder how you and/or anyone received that email?

He used the email in connection with a bounty or airdrop most probably. Just like big_daddy in a different thread.

Yeah, I was using this mail in some bounties and airdrops years ago, not a lot of them, but one wrong is enough, usually I use a telegram bot (TempMail) that is generating an unique email box for bounties and airdrops

All that data is posted freely in the google sheets for bounty campaigns so it is easy for scammers to compile it in a database and do what they want with them.

Yup
That’s true
I checked my address here https://haveibeenpwned.com/
And it’s not good

I have to make a new private email...
Shit.

[o_e_l_e_o]

I have to make a new private email

You should absolutely be using different email addresses for different things. As well as helping to prevent this kind of thing from happening, it also increases your security as an attacker gaining access to one email account can't try to reset passwords on every online account you own, and it also increases your privacy by not linking your crypto activities to the rest of your details.

Have one email for work/university/school, have one for fiat finances like online banking, bills, credit cards, online shopping, have one for personal things like friends, social media, and have one for financial crypto sites such as exchanges. For everything else, particularly ICOs or bounty campaigns, make a completely new throwaway address or use one of the many temporary email address generators to sign up.

For your main email addresses, you should also be looking to use a privacy respecting provider. Protonmail is widely recommended, but you can find other good providers here: https://www.privacytools.io/providers/email/

[big_daddy]

Tnx for the link and for the suggestion
I will consider your advice and take an action asap

Best regards

[malevolent]

You should absolutely be using different email addresses for different things. As well as helping to prevent this kind of thing from happening, it also increases your security as an attacker gaining access to one email account can't try to reset passwords on every online account you own, and it also increases your privacy by not linking your crypto activities to the rest of your details.

Just be careful when choosing email addresses as recovery email addresses on each email account so that one compromised account doesn't result in other accounts getting hacked.

[vapourminer]

You should absolutely be using different email addresses for different things. As well as helping to prevent this kind of thing from happening, it also increases your security as an attacker gaining access to one email account can't try to reset passwords on every online account you own, and it also increases your privacy by not linking your crypto activities to the rest of your details.

Just be careful when choosing email addresses as recovery email addresses on each email account so that one compromised account doesn't result in other accounts getting hacked.

also try to use 2FA on any important emails accounts. not a text message to a phone number that can be taken over, something OTP based like google 2fa (or its open source equivalents).

for fun, try to break into your main emails accounts on a fresh computer (ie one thats never logged into that email account before) by clicking "forgot password" link and seeing how far you get. you may be surprised.

[The Sceptical Chymist]

I wonder how you and/or anyone received that email? I'm a subscriber of ledger and never received such kind of email.

I didn't get the e-mail either, but now that I think about it I don't know if I ever gave them my primary e-mail address or not.  How would scammers get access to Ledger's database of e-mail addresses anyway?  Did they get hacked, did Ledger sell them?  Just thinking out loud there.

You should absolutely be using different email addresses for different things.

I'll keep protonmail in mind--I'd never heard of them before.  But boy, I hate using multiple e-mail addresses--I have a couple of different ones, but I don't even use e-mail much anymore so it's a pain in the ass to keep checking several of them.  Fortunately spam filters are so much better than they used to be in the early days of the internet.  I always hated getting adverts for sex toys and Viagra and the like, not to mention all the scam attempts.

[Lucius]

The Pharmacist, there is another thread with same topic and it was concluded that there was no hacking on Ledger's email database. The person who received the email in question says the following :

Yeah, I was using this mail in some bounties and airdrops years ago, not a lot of them, but one wrong is enough, usually I use a telegram bot (TempMail) that is generating an unique email box for bounties and airdrops
It’s good to know that other Ledger users didn’t recieve this mail cause that can be a proof that nothing inside the Ledger system has been hacked or list leaked

I think Ledger is too serious company to allow itself to sell its databases like some others (Facebook), and that they make decent money from the sales of their devices. However, all that is needed is a corrupt or perhaps careless employee, because most hacking shows that people are the weakest link when it comes to security.

[big_daddy]

Ledger is, from my poin of view and experince, a great crypto company

[malevolent]

for fun, try to break into your main emails accounts on a fresh computer (ie one thats never logged into that email account before) by clicking "forgot password" link and seeing how far you get. you may be surprised.

Coinbase (? - probably them, IIRC) had a long guide somewhere instructing users how they can setup their gmail account to make it practically impossible for anyone* ever to recover access should a stranger try to hijack someone's account or should the original owner forget the password. Smaller or lesser known email providers might be more susceptible to social engineering attacks. Same goes for registrars and hosting providers if someone's using an email with their own domain name.

*realistically speaking, google may change their policies, their employee(s) can go rogue, etc.

[jerry0]

im confused here.  So they want you to download something but isn't the nano ledger x and s not hackable?

[HCP]

It's an old warning about an old phishing email that some users received. It attempted to get the user to download something and I believe input their 24 word seed mnemonic.

I'm not actually aware of anyone who fell for this phishing attempt (at least I didn't see anyone posting about having used the "Ledger SE Checker" and then losing all their coins )