Ledger(and Trezor) hardware wallet owners: heads up | EDIT: (debunked)

[o_e_l_e_o]

I mean, I don't trust any companies who would keep and sell my data, especially if it's any sensitive data and/or they are supposed to aid to keep my privacy.

Most companies will keep the personal data of their customers on file, largely for law enforcement and compliance reasons. The privacy policies of both Ledger and Trezor allow you to request to have your details erased from their databases though. I'll quote a post I made on another thread about this at the bottom of this post. I'd be very surprised if it turned out that either Ledger or Trezor were actively selling customer details though - such a thing would lose them a vast number of customers.

What a big joke if they come to one of the addresses, got the wallet, forcing the owner to tell the password but he doesn't have any funds left.

From what Shopify, Ledger, and Trezor are all saying, this hack appears to be fake, but there is still a certain irony to it. We spend a lot of time on here talking about how best to use hardware wallets, are they secure enough, can they be trusted, using passphrases, storing seeds, airgapped wallets, etc., etc., and a mass $5 wrench attack is still the most likely way you will lose your coins. Now's the time to think about using a passphrase for plausible deniability if you don't already.

Even for those who contacted support? They have to submit emails when creating support tickets.

Your email address will be on a database somewhere. Whether it is the same database that his hacker claims to have, we don't know. That's why I would always suggest using multiple different email address for different purposes, and the one you use for crypto-related activities should not be tied to your real name or address in any way.

Worth noting that both Ledger and Trezor allow you to request that they erase any details they hold about you from their databases. Although obviously too late for this hack (if it turns out to be true), it would still be worthwhile erasing your details from their databases.

You have the right to request access to your Personal Data, their rectification or erasure, as well as the right to request the restriction of the processing or to object to the processing.

Under Article 15 to 21 of the GDPR, you have the following rights that you are entitled to apply to the collector:

• Right of access,
• Right to rectification,
• Right to erasure,
• Right to restriction of processing,
• Right to object.

A reminder to always be very careful about giving out your personal details to anyone, even companies which are as well known as Ledger and Trezor.

[1714973306]

1714973306

[1714973306]

1714973306

[so98nn]

I never opened up my ledger after creating the backup for the initial set up.

So does it mean my data is still secure for my ledger ?

What I mean is, I never connected it with network till now after first set up.

Or is it like they have fetched the data from stored servers of ledgers or whatever storage location is there? Shall we afraid of our coins in the ledger ?

Your bitcoin and other altcoins are safe. The only thing you should worry is that the personal information you surrendered to the mentioned company are at risk of being compromised by illegal dealers in the blackmarket.

Your ledger and your crypto is not correlated from the data breach but your sensitive information when your bought your cold storage does. Your coins are safe unless there is a $5 Wrench attack,

Okay that is the most important thing for me, the fund security.
Otherwise it would have made an impression that cold storage is also unsafe now. Lol.

I don't remember sharing my phone number, it's only E-mail with 2FA security so I don't think anyone can misuse it besides sending spam mails.

That's a relief though if my coins are safe. Thanks for info.

[o_e_l_e_o]

I don't remember sharing my phone number, it's only E-mail with 2FA security so I don't think anyone can misuse it besides sending spam mails.

If you bought a hardware wallet from either Ledger's or Trezor's official site, then you will also have had to give a name and address. This is what is worrying most people, as someone can now show up at your house with proof that you have a hardware wallet and commit physically force you to hand over your coins.

Also, if the email address you have given them is the same email address you have used for other crypto activities, particularly valuable accounts such as web wallets or exchange accounts which may be holding funds, then (if this hack turns out to be true) someone could try to access these accounts. An email address as well as your real name and address might be enough to convince a support team somewhere to reset your password.

[witcher_sense]

From what Shopify, Ledger, and Trezor are all saying, this hack appears to be fake, but there is still a certain irony to it. We spend a lot of time on here talking about how best to use hardware wallets, are they secure enough, can they be trusted, using passphrases, storing seeds, airgapped wallets, etc., etc., and a mass $5 wrench attack is still the most likely way you will lose your coins. Now's the time to think about using a passphrase for plausible deniability if you don't already.

Bold part is a good way to use a hardware wallet, I can't believe I have used it without that option before. But the most important thing here and why one shouldn't worry about shipping address leak is the fact that possesion of the hardware wallet doesn't mean one have money stored in there. Hackers and robbers need to know precisely whether their victim has any big money or not. Really, it doesn't make any sense to attack everyone who has ever bought a piece of hardware. So, just don't talk about how many bitcoins you have and you are fine.

[slaman29]

Thanks for the reminder and it's something I tell myself every time I feel obliged to trust a company I really like. You see, even if the intentions are good, human error and well, the basic capacity for humans to make mistakes, will eventually cause any company to face this dilemma (even if theoretically).

From what Shopify, Ledger, and Trezor are all saying, this hack appears to be fake, but there is still a certain irony to it. We spend a lot of time on here talking about how best to use hardware wallets, are they secure enough, can they be trusted, using passphrases, storing seeds, airgapped wallets, etc., etc., and a mass $5 wrench attack is still the most likely way you will lose your coins. Now's the time to think about using a passphrase for plausible deniability if you don't already.

Tech is tech and there is no human-proof tech yet:) What do we do one day if thieves also know about plausible deniability passphrase?

[mk4]

Tech is tech and there is no human-proof tech yet:) What do we do one day if thieves also know about plausible deniability passphrase?

Some will know about it, and some will don't. But in the end, it's really better to have it. Not doing/using something just because thieves could know about it makes little sense. It's like saying that we shouldn't use CCTV cameras or have guns on our homes because thieves know about them anyway. Not really that close of an analogy, but you get what I mean.

[so98nn]

That's really nasty one. After reading what can they do about my E-mail making me uncomfortable. I use it almost everywhere.

I will start updating it with the services where it is allowed to do so.

Perhaps, the news should be false and all the ledger services must abide to the stringent laws against data protection.

[slackovic]

That's really nasty one. After reading what can they do about my E-mail making me uncomfortable. I use it almost everywhere.

I will start updating it with the services where it is allowed to do so.

Perhaps, the news should be false and all the ledger services must abide to the stringent laws against data protection.

If I understood how this attack (allegedly) happened, it's not Ledger's or Trezor's fault. It's Shopify's database that was hacked. However, I wouldn't blame them too much because there is still no proof that the attack really happened.

[o_e_l_e_o]

Hackers and robbers need to know precisely whether their victim has any big money or not. Really, it doesn't make any sense to attack everyone who has ever bought a piece of hardware.

Well, most people aren't buying a hardware wallet just for fun. Chances are if you own a hardware wallet, then you have are holding a reasonable amount of cryptocurrency that you are uncomfortable storing in a software wallet. Your coins don't even have to be on the hardware wallet - once an attacker has identified you as a target, they can physically coerce you in to unlocking software wallets, hardware wallets, web wallets, exchange accounts, whatever.

Thanks for the reminder and it's something I tell myself every time I feel obliged to trust a company I really like. You see, even if the intentions are good, human error and well, the basic capacity for humans to make mistakes, will eventually cause any company to face this dilemma (even if theoretically).

Exactly. Trusting anyone else to hold your coins or hold your data, regardless of how reputable you think they are, always carries a risk.

What do we do one day if thieves also know about plausible deniability passphrase?

Create several, and make sure they aren't linkable in any way using blockchain analytics.

[witcher_sense]

Well, most people aren't buying a hardware wallet just for fun. Chances are if you own a hardware wallet, then you have are holding a reasonable amount of cryptocurrency that you are uncomfortable storing in a software wallet. Your coins don't even have to be on the hardware wallet - once an attacker has identified you as a target, they can physically coerce you in to unlocking software wallets, hardware wallets, web wallets, exchange accounts, whatever.

Is there some statistic regarding particular reasons behind people buying hardware? I didn't see one. It may be just for fun since not all people understand why they are buying even bitcoin itself. They might be holding some unreasonable amount of bitcoin or any piece of shitcoin. There is still lack of information for robbers. They are not going to risk just for potential income. However, this unreasonable amount could unexpectedly become reasonable one day and, in this case, the leak will be dangerous for us. The cure is the same: don't talk about cryptocurrency you're holding, this put your in danger, especially in the future when bitcoin is more valuable. People in the future might be robbed just for the sake of 1 satoshi.

[Lucius]

Whether this is true or not, the fact is that there is a risk now, but also in the future with such and similar databases that are clearly insufficiently protected. Apart from the fact that such a database could physically endanger some of the HW users, it can be used for social engineering (sending phishing e-mails), or SIM swap attacks.

I also believe that such a database would be of interest to the tax authorities, in the sense that it could give them guidelines on who should be closely monitored when it comes to crypto taxes.  

What I also notice is that Ledger DB is (by hacker) contains only 41 488 users, which is definitely too little considering how many devices Ledger has sold so far. Also, by what Ledger has posted so far, comparing the data from screenshots with real DB, they do not match.

Edit - Just found this on Ledger Twitter.


https://twitter.com/l33tguy/status/1264661534380191744

By hacker this database is from period from 2016 or earlier, which would somewhat explain such a small number of Ledger users. Yet it seems to be a simple attempt of scam.

[mk4]

Is there some statistic regarding particular reasons behind people buying hardware? I didn't see one. It may be just for fun since not all people understand why they are buying even bitcoin itself. They might be holding some unreasonable amount of bitcoin or any piece of shitcoin.

It's going to be pretty hard to have an accurate statistic for that. You'd really need to put out a large scale poll to hardware wallet buyers. One thing's for sure though, most buyers assume it's secure hence why people buy them. I mean, hardware wallets are pretty much heavily recommended(as it should) in the entirety of the cryptocurrency space.

[slackovic]

Whether this is true or not, the fact is that there is a risk now, but also in the future with such and similar databases that are clearly insufficiently protected. Apart from the fact that such a database could physically endanger some of the HW users, it can be used for social engineering (sending phishing e-mails), or SIM swap attacks.

The risk didn't become a reality now because some hacker claims that he hacked Shopify's database. Each one of us is risking their data being leaked every time we enter some data on a web site. User never knows how his data ona web site is stored and protected. When we register on a web site and enter our information, we choose to trust that web site. No one can guarantee that they database won't be hacked because it can happen to anyone.

By hacker this database is from period from 2016 or earlier, which would somewhat explain such a small number of Ledger users. Yet it seems to be a simple attempt of scam.

I was always wondering about this... Why would someone hack a database and then steal only a small part of it? It could be that in this case Shopify kept their old data in some old database that this hacker managed to hack. If that it true, why do they keep those old databases online? If at some point they decided to move all user data to another DB, why would they keep the old one "alive"?

[Sanugarid]

Whether this is true or not, the fact is that there is a risk now, but also in the future with such and similar databases that are clearly insufficiently protected. Apart from the fact that such a database could physically endanger some of the HW users, it can be used for social engineering (sending phishing e-mails), or SIM swap attacks.

The risk didn't become a reality now because some hacker claims that he hacked Shopify's database. Each one of us is risking their data being leaked every time we enter some data on a web site. User never knows how his data ona web site is stored and protected. When we register on a web site and enter our information, we choose to trust that web site. No one can guarantee that they database won't be hacked because it can happen to anyone.

It could be, but the fact that Shopify is highly secured this might be just a false allegations. Shopify has a lot of third-party  but they are more secure than their competitors even some of them are self-hosted like Magento and Woocommerce. But then there is a risk of customers data that could be use to identity theft or any illegal activities online, Shopify should look deeply down to this.

By hacker this database is from period from 2016 or earlier, which would somewhat explain such a small number of Ledger users. Yet it seems to be a simple attempt of scam.

I was always wondering about this... Why would someone hack a database and then steal only a small part of it? It could be that in this case Shopify kept their old data in some old database that this hacker managed to hack. If that it true, why do they keep those old databases online? If at some point they decided to move all user data to another DB, why would they keep the old one "alive"?

Data breaching is harder than what you think, hackers could get into it but there are times that new data are being handle by different server with different security.

Why they keep the data online? - It has to do with their PCI compliance to implement and maintain a firewall.

I'm worried about those people whose data has been stolen like the name, address and phone number. If this came out to be true, they could be in danger.

[Lucius]

The risk didn't become a reality now because some hacker claims that he hacked Shopify's database. Each one of us is risking their data being leaked every time we enter some data on a web site. User never knows how his data ona web site is stored and protected. When we register on a web site and enter our information, we choose to trust that web site. No one can guarantee that they database won't be hacked because it can happen to anyone.

I am referring to a specific situation like this, not to general database hacking. If this were true then such a database would be a really big security risk, because each customer can be identified by full name, email address and phone number. Here we are talking about people who mostly own some significant amounts of crypto, and a way to locate and physically rob them, with of course sophisticated remote attacks via email/SMS/or phone calls.

I was always wondering about this... Why would someone hack a database and then steal only a small part of it? It could be that in this case Shopify kept their old data in some old database that this hacker managed to hack. If that it true, why do they keep those old databases online? If at some point they decided to move all user data to another DB, why would they keep the old one "alive"?

So as I already wrote (based on tweet) the hacker claims that this is a database from 2016 or earlier, which means that it can only contain the earliest customers. I don't know where you get the idea that someone hacked the database yesterday and then only sells data from 2016? This database (if it exists at all) could have been hacked 4+ years ago, and has only now appeared on the market.

[slackovic]

The risk didn't become a reality now because some hacker claims that he hacked Shopify's database. Each one of us is risking their data being leaked every time we enter some data on a web site. User never knows how his data ona web site is stored and protected. When we register on a web site and enter our information, we choose to trust that web site. No one can guarantee that they database won't be hacked because it can happen to anyone.

I am referring to a specific situation like this, not to general database hacking. If this were true then such a database would be a really big security risk, because each customer can be identified by full name, email address and phone number. Here we are talking about people who mostly own some significant amounts of crypto, and a way to locate and physically rob them, with of course sophisticated remote attacks via email/SMS/or phone calls.

I understand what you are referring to, but I'm saying that the risk of someone hacking this database has always been real. The best thing now would be that this turns out to be fake, but that it "teaches" Ledger, Trezor and Shopify to always fix the security holes in the software. Because, like you said - the biggest problem is that information can be used to hurt people and steal their money.

I was always wondering about this... Why would someone hack a database and then steal only a small part of it? It could be that in this case Shopify kept their old data in some old database that this hacker managed to hack. If that it true, why do they keep those old databases online? If at some point they decided to move all user data to another DB, why would they keep the old one "alive"?

So as I already wrote (based on tweet) the hacker claims that this is a database from 2016 or earlier, which means that it can only contain the earliest customers. I don't know where you get the idea that someone hacked the database yesterday and then only sells data from 2016? This database (if it exists at all) could have been hacked 4+ years ago, and has only now appeared on the market.

Yeah, that's true. But I don't understand why would someone wait 4 years to sell something like that. He certainly would get much more money if the hacked data was newer

But nevertheless, I hope this one turns out to be fake.

[mk4]

Update: Ledger already claims that the rumours are false. While we can all have our sighs of relief now, make this be a wake up call that it's heavily not recommended to be handing over personal information on a lot of websites. Always think twice when handing over personal information, especially on shady websites.

[20kevin20]

It is quite scary how a little database leak could lead to a huge chain of robberies involving potentially millions of USD, specifically if big names & their addresses are leaked. The worst part is, governments may require businesses to store customer details but a business doesn't always have a high level database security. In fact, I'd guess most of them don't.

[slackovic]

Update: Ledger already claims that the rumours are false. While we can all have our sighs of relief now, make this be a wake up call that it's heavily not recommended to be handing over personal information on a lot of websites. Always think twice when handing over personal information, especially on shady websites.

Yeah, but you can't call Shopify a shady website. They are well known for years and majority of users trust them with their data. Besides, if Ledger as a company use them to sell their devices, why would some user think of them as a shady website?

It is quite scary how a little database leak could lead to a huge chain of robberies involving potentially millions of USD, specifically if big names & their addresses are leaked. The worst part is, governments may require businesses to store customer details but a business doesn't always have a high level database security. In fact, I'd guess most of them don't.

If a government requires businesses to store customer data, then it should require some level of database security. If a business gets their customer's data stolen due to a database hack because of some unfixed security hole, then that business could to be blamed too.

[mk4]

Yeah, but you can't call Shopify a shady website. They are well known for years and majority of users trust them with their data. Besides, if Ledger as a company use them to sell their devices, why would some user think of them as a shady website?

I wasn't specifically saying that Shopify and Ledger are shady websites, I even use Shopify myself. I was just putting out a point for the people who think it's fine giving away your home address to various websites.