Trezor&Ledger customer data leak?

[Csmiami]

Earlier today, I saw a tweet from Trezor, saying that there had been some rumours about their client database being hacked and leaked. I was about to post about it now, and mistakenly entered Ledger twitter account when trying to copy Trezors' tweet; and much to my surprise, the same tweet shows up!

There are rumors spreading that our eshop database has been hacked thru a Shopify exploit. Our eshop does not use Shopify, but we are nonetheless investigating the situation. We've been also routinely purging old customer records from the database to minimize the possible impact.

Rumors pretend our Shopify database has been hacked through a Shopify exploit. Our ecommerce team is currently checking these allegations by analyzing the so-called hacked db, and so far it doesn’t match our real db. We continue investigations and are taking the matter seriously.

Yes, I'm aware it's not 100% copy paste tweet, and the timestamp is not the same for both tweets. But it's still unsettling news to hear (even if both claim there has been no leak)

[bob123]

AFAIK both of them don't use shopify.
I really wonder in what way this could have any impact on them.

I'm definitely going to follow this, but my first guess would be that neither trezor nor ledger is affected by this.

[o_e_l_e_o]

The attacker in question is claiming to have the databases not just of Ledger and Trezor, but also KeepKey, Loanbase, Bitbond, BnkToTheFuture, and a variety of others. As you say though, no proof so far and both Ledger and Trezor deny anything matches with their database.

AFAIK both of them don't use shopify.

Ledger does. It states here that their webshop is hosted by Shopify (https://shop.ledger.com/pages/other), and if you visit their shop and open developers tools, you'll see requests going to cdn.shopify.com.

Worth noting that both Ledger and Trezor allow you to request that they erase any details they hold about you from their databases. Although obviously too late for this hack (if it turns out to be true), it would still be worthwhile erasing your details from their databases.

You have the right to request access to your Personal Data, their rectification or erasure, as well as the right to request the restriction of the processing or to object to the processing.

Under Article 15 to 21 of the GDPR, you have the following rights that you are entitled to apply to the collector:

• Right of access,
• Right to rectification,
• Right to erasure,
• Right to restriction of processing,
• Right to object.

A reminder to always be very careful about giving out your personal details to anyone, even companies which are as well known as Ledger and Trezor.

[guigui371]

This has been discussed here :    
Ledger(and Trezor) hardware wallet owners: heads up


A solution to avoid giving your real address (so no doxing if database leaked) is to get shipped your parcels to a nearby grocery store and collect when you do your shopping.
It is way more flexible/convenient than waiting for the parcel at home or collecting from the post office.

[Coin_trader]

I never used my hardware wallet(trezor) directly on buying online. I always used electrum wallet as my mode of payment when purchasing even on doing a p2p transaction. A golden rule here is to always keep your hardware wallet disconnected online and make a separate wallet for all transaction.

Although this kind of leak is inevitable because there's always a way for a hacker to decipher the security system of all websites especially shopping website.

[o_e_l_e_o]

I never used my hardware wallet(trezor) directly on buying online. I always used electrum wallet as my mode of payment when purchasing even on doing a p2p transaction. A golden rule here is to always keep your hardware wallet disconnected online and make a separate wallet for all transaction.

You are misunderstanding what is going on here. This hacker is claiming to have access to the databases of people who have purchased hardware wallets from Trezor or Ledger. If you bought a hardware wallet from one of their sites, then the vast majority of people will have entered their real name and address, and it is that database which as allegedly been hacked. Keeping your hardware wallet offline would make no difference to a hack like this.

[bob123]

I never used my hardware wallet(trezor) directly on buying online. I always used electrum wallet as my mode of payment when purchasing even on doing a p2p transaction. A golden rule here is to always keep your hardware wallet disconnected online and make a separate wallet for all transaction.

Wait, what ?

Regardless of the irrelevance to the OP, this statement doesn't make any sense.
You are using your desktop wallet to pay stuff, ok. But how are you funding your desktop wallet with your hardware wallet ?
I'd assume that you are using your PC ?
It doesn't matter whether you send a transaction to someone else, or to your other wallet.

The only real advantage in security would be, if you'd only use an offline PC to sign transactions with your hardware wallet and then move it to an online PC to actually broadcast it.
I mean.. that's possible and adds another level of protection, but.. if you aren't transaction huge sums of money this seems like an overkill to me.

[NotATether]

The attacker in question is claiming to have the databases not just of Ledger and Trezor, but also KeepKey, Loanbase, Bitbond, BnkToTheFuture, and a variety of others. As you say though, no proof so far and both Ledger and Trezor deny anything matches with their database.

Don't the hacker's claims of siphoning at least half a dozen different databases from unrelated companies, all at the same time, seem bogus? The only trace of information they left is a thread on some other forum offering to sell this stuff. We have people on the marketplace board making high-and-mighty claims like this all the time.

I'm not denying the possibility that a leak happened but it seems hard for me to believe that so many databases were compromised all at once.

[NeuroticFish]

I never used my hardware wallet(trezor) directly on buying online. I always used electrum wallet as my mode of payment when purchasing even on doing a p2p transaction. A golden rule here is to always keep your hardware wallet disconnected online and make a separate wallet for all transaction.

I pity you. Seriously. I think that you don't understand what you are doing and this may get you to the point you may lose funds. Also if you post on this forum you may give wrong advice to somebody.
Can you please take some minutes and read more about the way the wallets work, maybe understand that hardware wallets only provide signing for transactions and why they are pretty much designed to be used directly (i.e. online)?

[Lucius]

Ledger issued an official statement on its website regarding the alleged hacking of the database :

On Sunday an unknown hacker claimed that he was in possession of leaked databases from Ledger, Trezor and Keepkey’s ecommerce platforms.

After a thorough investigation from our data and security team and based on the information at hand, we can confirm this leak doesn’t match our database.

Therefore, we trust our client’s data is not prone to be used for phishing attacks, scams or any other attacks. To sum up, and after multiple discussions with other industry players and partners, it is our conviction that this is merely an attempt at spoiling Ledger’s reputation and is nothing but a hoax.

Several clues led us to such conclusion:

    The hacker claims he hacked Ledger clients’ database through a Shopify exploit in 2016. While Ledger currently uses Shopify as a third party provider for its ecommerce operation, this was not the case back in 2016.
    The content and structure of the leaked data does not match Ledger’s.
    Shopify couldn’t find any trace of malicious attacks, nor suspicious activity in its ecommerce systems.
    We exchanged with Under The Breach, who couldn’t confirm the authenticity of the stolen database.

As one user posted on twitter, this is obviously an attempt of some kid who want to scam some naive customer for as much BTC as possible, of course without the ability to verify the data being sold. Unfortunately, many have interpreted this news as a kind of hacking of their devices, which of course has nothing to do with it - even if there was a real hacking of the database, the devices themselves are completely safe.

[dkbit98]

https://twitter.com/underthebreach/status/1264460979322138628

Both Trezor and Ledger denies being hacked.
On the other side hackers say that they have sensitive data from over 80,000 people!
Looks like it is the same group that hacked Ethereum forum back in 2016
source article:
https://siliconangle.com/2020/05/25/cryptocurrency-wallet-providers-trezor-ledger-deny-reports-hacked/

[o_e_l_e_o]

I think it's pretty safe to say this is a hoax. I've seen screenshots on twitter from multiple people who have contacted the "hacker" in question and asked him to verify the data before purchasing, and on each occasion he was unable to. The alleged source of the hack - Shopify - isn't use at all by Trezor, and wasn't used by Ledger in 2016, which is when the supposed database is from.

Ledger's statement: https://www.ledger.com/our-ecommerce-database-has-not-been-hacked
Trezor's statement: https://blog.trezor.io/trezor-e-shop-breach-is-a-hoax-d943ce267b66

Trezor's statement also gives some good advice for anybody considering order a hardware device in the future:

• If possible order your goods using the address of the company you are working for and have it delivered there.
• You can even tell your reception desk that you will be using a pseudonym.
• If you can not have goods delivered to your office, consider using a P.O. box.
• Always use a special purpose email in which you avoid your real name.
• If you really need to share your phone number, share the work one preferably.

In short, don't use your real name, personal address, personal email, or personal phone number.

As I mentioned above, both companies have clauses in their privacy policies allowing you to request all details they have about you be deleted.

[xoso]

Yes, and here is the whole data available now on Github:
https://github.com/xoso9/ledgerhack