DdmrDdmr (OP)
Legendary
Offline
Activity: 2492
Merit: 11048
There are lies, damned lies and statistics. MTwain
|
I normally do not like posting anything that is little more than a copy/paste + link, but this case justifies me doing so: https://www.ledger.com/addressing-the-july-2020-e-commerce-and-marketing-data-breach Our ecommerce and marketing database leaked, we immediately fixed the breach. Contact and order details were involved. Your funds are safe.
What happened?
On the 14th of July 2020, a computer researcher that participated in our bug bounty program notified us of a potential data breach on the Ledger website. We immediately fixed the breach after receiving the researcher’s report and undertook an internal and external investigation of the situation. While conducting the investigation, we discovered an unauthorized third party had gained access to customer information.
What personal information was involved?
Contact and order details were involved. This is mostly the email address of our customers. Further to investigating the situation we have also been able to establish that, for a subset of customers were also exposed: first and last name, postal address, phone number and ordered products. Due to the scope of this breach and our commitment to our customers, we have decided to inform all of our customers about this situation.
Payment information, credentials (passwords) or crypto funds are not impacted by this data breach. This data breach has no link nor impact on our hardware wallets and the Ledger Live application. Your crypto assets are safe and are not in peril.
What we have done, what we are doing
We have taken immediate action on 14th of July 2020, to resolve the data breach.
On the 17th of July, we notified the CNIL -- the French Data Protection Authority -- about this data breach and are continuing to work with authorities throughout the legal process.
We are continuously monitoring for evidence of our customers’ contact details being disclosed on the internet, and have found none thus far. We also performed an internal penetration test.
We are currently in the process of filing a complaint before the French public prosecutor regarding the unauthorized access and we will support law enforcement investigation.
We are extremely regretful for this incident. We take privacy very seriously, and we sincerely apologize for the inconvenience this matter may cause you.
What you can do
We recommend you exercise caution -- always be mindful of phishing attempts by malicious scammers.
As a reminder, Ledger will never ask you for the 24 words of your recovery phrase. If you receive an email that looks like it came from Ledger asking for your 24 words, you should definitely consider it a phishing attempt.
We suggest you visit Ledger Academy security section to educate yourself on general security principles and more precisely our article about phishing attacks.
Pascal Gauthier, Ledger CEO
If the above is completely true, and facts and scope of the breach are as is, be very wary over the comming days of personalized phising attempts. It really despise the fact that addresses were leaked. That is unforgivable, and although I do not expect a criminal campaign preceded by a mass sell of 5$ wrenches at warehouses, for a company that works on security, encrypting the DB and storing the keys separately is bloody paramount.
|
|
|
|
jseverson
|
|
July 29, 2020, 07:49:18 AM |
|
If the above is completely true, and facts and scope of the breach are as is, be very wary over the comming days of personalized phising attempts.
More than that, I would even be wary of being robbed. There are people out there who know you're probably holding a respectable number of coins, what to look for, and where they may find it. If you're one of the customers whose data got leaked, it probably wouldn't hurt to bolster your physical security. Supply chain attacks have basically been the only real downside in hardware wallet discussions, and I feel like this is another big one that will repeatedly come up in the future. I'm pretty happy I make my own cold wallet.
|
|
|
|
Coyster
Legendary
Offline
Activity: 2198
Merit: 1306
Playbet.io - Crypto Casino and Sportsbook
|
|
July 29, 2020, 08:02:44 AM |
|
More than that, I would even be wary of being robbed. There are people out there who know you're probably holding a respectable number of coins, what to look for, and where they may find it. If you're one of the customers whose data got leaked, it probably wouldn't hurt to bolster your physical security.
jseverson you do have a point there, but this scammers are more of cyber criminals than armed robbers, so a situation of one of those users whose information just got leaked being robbed is imo improbable; that being said, it doesn't mean it cannot happen, but the scammers will try every online means, phishing attempts, impersonations, blackmailing etc, and if it ever gets to a robbery incident, i'll expect the user to have hundreds of thousands (or millions even) in bitcoin, for the scammers to take the risk of being caught now coming in person.
|
|
|
|
btcltcdigger
|
|
July 29, 2020, 09:41:34 AM |
|
If the above is completely true, and facts and scope of the breach are as is, be very wary over the comming days of personalized phising attempts.
More than that, I would even be wary of being robbed. There are people out there who know you're probably holding a respectable number of coins, what to look for, and where they may find it. If you're one of the customers whose data got leaked, it probably wouldn't hurt to bolster your physical security. Supply chain attacks have basically been the only real downside in hardware wallet discussions, and I feel like this is another big one that will repeatedly come up in the future. I'm pretty happy I make my own cold wallet. Yeah, if they can tie wallets with ledgers, and lesgers with addresses, then some people might have something to be worried about. Time to lock up ledgers and move them to a safe place i guess In any case, i'm sure everyone who owns a ledger can expect alot of emails in the following weeks
|
|
|
|
Maus0728
Legendary
Offline
Activity: 2030
Merit: 1582
|
|
July 29, 2020, 10:35:55 AM |
|
Is this somehow related to Ledger(and Trezor) hardware wallet owners: heads up | EDIT: (debunked)? And yeah $5 wrench attack is a great risk for people who are also living on their household..probably an average bitcoiner. 2 consecutive info breach on Ledger is something to be afraid of LOL. It is also a good idea to shop on Ledger using another location for delivery and a dummy name since I don't think they give importance whether it is true or not.
|
|
|
|
HeRetiK
Legendary
Offline
Activity: 3108
Merit: 2177
Playgram - The Telegram Casino
|
|
July 29, 2020, 10:53:31 AM |
|
More than that, I would even be wary of being robbed. There are people out there who know you're probably holding a respectable number of coins, what to look for, and where they may find it. If you're one of the customers whose data got leaked, it probably wouldn't hurt to bolster your physical security.
jseverson you do have a point there, but this scammers are more of cyber criminals than armed robbers, so a situation of one of those users whose information just got leaked being robbed is imo improbable; that being said, it doesn't mean it cannot happen, but the scammers will try every online means, phishing attempts, impersonations, blackmailing etc, and if it ever gets to a robbery incident, i'll expect the user to have hundreds of thousands (or millions even) in bitcoin, for the scammers to take the risk of being caught now coming in person. Problem being, these datasets usually get sold on the black market. So while the original attackers might not do physical crime, they very well might sell the data to criminals who do. If you live in a country that's relatively safe to begin with this probably won't affect you, but if you live in an area prone to organized crime you now might have a big target on your back.
|
|
|
|
▄▄███████▄▄███████ ▄███████████████▄▄▄▄▄ ▄████████████████████▀░ ▄█████████████████████▄░ ▄█████████▀▀████████████▄ ██████████████▀▀█████████ █████████████████████████ ██████████████▄▄█████████ ▀█████████▄▄████████████▀ ▀█████████████████████▀░ ▀████████████████████▄░ ▀███████████████▀▀▀▀▀ ▀▀███████▀▀███████ | ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ Playgram.io ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ | ▄▄▄░░ ▀▄ █ █ █ █ █ █ █ ▄▀ ▀▀▀░░
| │ | ▄▄▄███████▄▄▄ ▄▄███████████████▄▄ ▄███████████████████▄ ▄██████████████▀▀█████▄ ▄██████████▀▀███▄██▐████▄ ██████▀▀████▄▄▀▀█████████ ████▄▄███▄██▀█████▐██████ ██████████▀██████████████ ▀███████▌▐██▄████▐██████▀ ▀███████▄▄███▄████████▀ ▀███████████████████▀ ▀▀███████████████▀▀ ▀▀▀███████▀▀▀ | | │ | ██████▄▄███████▄▄████████ ███▄███████████████▄░░▀█▀ ███████████░█████████░░█ ░█████▀██▄▄░▄▄██▀█████░█ █████▄░▄███▄███▄░▄██████ ████████████████████████ ████████████████████████ ██░▄▄▄░██░▄▄▄░██░▄▄▄░███ ██░░░█░██░░░█░██░░░█░████ ██░░█░░██░░█░░██░░█░░████ ██▄▄▄▄▄██▄▄▄▄▄██▄▄▄▄▄████ ███████████████████████ ███████████████████████ | | │ | ► | |
[/
|
|
|
Erumo
Member
Offline
Activity: 566
Merit: 50
|
|
July 29, 2020, 11:02:32 AM |
|
They got owned for 4 days, and only now they announce about it. Not smart. Why not announce it on the day they got exploited and warn users from giving "24 words of your recovery phrase" to someone.
Not a single word about compensation to 9500 customers. This will strike hard on their reputation. I expect used ledgers appear on the market, as well as discounts in ledger shop.
|
You mess with the meow meow You get the peow peow
|
|
|
20kevin20
Legendary
Offline
Activity: 1134
Merit: 1598
|
|
July 29, 2020, 11:37:34 AM |
|
I wonder if older customers have been affected as well or just recent ones. IIRC, they once said older customers are deleted from their database for security purposes. The fact that it's the second time something like this happens is worrying, to say the least.
I'd say a wrench attack isn't very likely for most customers, but is something they should consider - especially if bigger or more popular names are involved.
|
|
|
|
DdmrDdmr (OP)
Legendary
Offline
Activity: 2492
Merit: 11048
There are lies, damned lies and statistics. MTwain
|
|
July 29, 2020, 12:29:36 PM |
|
This information release explains the incident a wee bit further: https://www.ledger.com/addressing-the-july-2020-e-commerce-and-marketing-data-breachIf we take it as is: - The data breach was performed through an unauthorized use of an API Key to access both the Marketing and e-commerce data. - They figure that 1M email addresses may have been retrieved through the API (I figure they keep logs of API usage, and should be able to be certain of this fact). - Personal stolen data was delimited to that of 9500 customers (they do not provide a criteria here to know who may be affected by this part of the breach). - All affected customers have received an email with information on this breach. Therefore, if you’ve received an email such as the one in the OP, you are amongs those breached. There is no information on whether the 9.500 customers that have had their personal data breached, have or have not been explicitly notified of this fact. The positive side (so as to say) is that the personal data breach is delimited to a very small portion of the database. Emails are going to be used for phising campaigns for sure, so be wary of any email you receive related to ledger: check the sender properly, and contrast with the official Ledger website. Do not panic and rush to providing mnemonics at any time on any site, and do not move to downloading anything related from an external link (i.e. alleged Ledger Live updates).
|
|
|
|
jseverson
|
|
July 30, 2020, 02:36:02 AM |
|
jseverson you do have a point there, but this scammers are more of cyber criminals than armed robbers
To add to what @HeRetiK has already said, hackers are more likely to sell your data rather than use it. Trezor's blog actually covers this: In most cases, the hacker will not use the data, but instead will sell them to a third party, often called a “broker.” By selling the stolen information, they’re reducing the risk they’re facing compared to the risk of using the data by themselves. Actually utilizing the hacked data is usually a big operation, and the hackers themselves may not have enough resources to fully take advantage of it. That being said, your data could easily end up with a random person/group within your vicinity, and we have no idea what kind of action they would take. I agree that it's far more likely for them to be used in a social engineering attack, but physical assaults relating to crypto aren't unheard of (and it might even be safe to assume that they're uncommon because attackers aren't aware who HODLs; this dataset can provide them with a full list), so I'd say it's important to highlight this risk.
|
|
|
|
squatter
Legendary
Offline
Activity: 1666
Merit: 1196
STOP SNITCHIN'
|
|
July 30, 2020, 02:59:23 AM |
|
There is no information on whether the 9.500 customers that have had their personal data breached, have or have not been explicitly notified of this fact.
They specified this on Twitter: If you are part of the approximately 9500 customers whose detailed personal information - name surname, postal address or phone number - were accessed by the unauthorized third party you have been notified 30 minutes ago. I guess you can breathe easy if you haven't received an email specifying that you were part of the smaller breach. This is all very disappointing considering what Ledger is in the business of. This is yet another reminder -- don't reuse email addresses, and use P.O. boxes for sensitive purchases.
|
|
|
|
jademaxsuy
|
|
July 30, 2020, 04:21:31 AM |
|
Problem being, these datasets usually get sold on the black market. So while the original attackers might not do physical crime, they very well might sell the data to criminals who do. If you live in a country that's relatively safe to begin with this probably won't affect you, but if you live in an area prone to organized crime you now might have a big target on your back.
Yes pretty sure Identities could be use in scamming. There are many individuals being directed as scammers even not really connected to the scam instead it was only his identity being used to prove that they are legit and exposed the victims Identity. This is a very serious problem in the future. It is because identities can be use and tag to a scam activities. This is even common to facebook where many users are copying pictures and identity of others then selling. The hard part is that identity is not the true identity of the scammer.
|
|
|
|
cryptoaddictchie
Legendary
Offline
Activity: 2254
Merit: 1376
Fully Regulated Crypto Casino
|
|
July 30, 2020, 04:54:02 AM |
|
Ive received too the security notice from Ledger, but checking in on their social media how to know if I were part of those. I think my information were safe. At first I thought the mailed was a spam email but checking the social media and it did sync in that they were breached. If you are part of the approximately 9500 customers whose detailed personal information - name surname, postal address or phone number - were accessed by the unauthorized third party you have been notified 30 minutes ago. I guess you can breathe easy if you haven't received an email specifying that you were part of the smaller breach.
Can anyone from ledger users confirm here if ever you got emailed from them about the qoute aboved? I think they should aplogize to those 9500 users who were affected and give them compensation and assurance just in anycase their profile has been caught doing any illegal activity as scammer can used their details.
|
| CHIPS.GG | | | ▄▄███████▄▄ ▄████▀▀▀▀▀▀▀████▄ ▄███▀░▄░▀▀▀▀▀░▄░▀███▄ ▄███░▄▀░░░░░░░░░▀▄░███▄ ▄███░▄░░░▄█████▄░░░▄░███▄ ███░▄▀░░░███████░░░▀▄░███ ███░█░░░▀▀▀▀▀░░░▀░░░█░███ ███░▀▄░▄▀░▄██▄▄░▀▄░▄▀░███ ▀███░▀░▀▄██▀░▀██▄▀░▀░███▀ ▀███░▀▄░░░░░░░░░▄▀░███▀ ▀███▄░▀░▄▄▄▄▄░▀░▄███▀ ▀████▄▄▄▄▄▄▄████▀ █████████████████████████ | | ▄▄███████▄▄ ▄███████████████▄ ▄█▀▀▀▄█████████▄▀▀▀█▄ ▄██████▀▄█▄▄▄█▄▀██████▄ ▄████████▄█████▄████████▄ ████████▄███████▄████████ ███████▄█████████▄███████ ███▄▄▀▀█▀▀█████▀▀█▀▀▄▄███ ▀█████████▀▀██▀█████████▀ ▀█████████████████████▀ ▀███████████████████▀ ▀████▄▄███▄▄████▀ ████████████████████████ | | 3000+ UNIQUE GAMES | | | 12+ CURRENCIES ACCEPTED | | | VIP REWARD PROGRAM | | ◥ | Play Now |
|
|
|
Yogee
|
|
July 30, 2020, 04:54:15 AM |
|
I wonder if older customers have been affected as well or just recent ones. IIRC, they once said older customers are deleted from their database for security purposes. The fact that it's the second time something like this happens is worrying, to say the least.
We can't say for sure since they can store customer data for up to 10 years. If you purchased a product or a service from us, we may retain some transactional data attached to your Contact Details to comply with our legal, tax or accounting obligations for a maximum 10 years period set forth by French applicable laws, as well as to allow us to manage our rights (for example to assert our claims in Courts) during applicable French statutes of limitations. Those 9,500 customers affected are probably fuming upon learning their personal data got leaked. I'm not victim blaming or anything but I wonder if they all read what's stated in the Ledger's Privacy Policy? Who may we share your information with?
Ledger, its employees and contractors may use some of your personal data strictly as part of their duties and in accordance with this Privacy Policy.
We may also transmit some of your data to third parties such as payment services, infrastructure, logistics, and other services providers.
We enter into contractual arrangements with these third parties to ensure that personal data they could have to process for the provision of their tasks is adequately secured and that your privacy is protected. These providers have privacy policies which you may refer to for information about how they process your information and how to exercise your data subjects’ rights as provided under Applicable Laws. All personal data processed by these third parties shall solely be used to perform the services they provide to us and for the purposes set out in this Privacy Policy.
In certain circumstances and only where required by Applicable Laws, we may disclose some of your data to competent administrative or judicial authorities or any other authorized third party. - https://shop.ledger.com/pages/privacy-policyThey can request for the erasure of their personal data but the risk was already there when they bought their wallet. I don't think Ledger will ever change their privacy policy but this is something potential customers should be aware of too.
|
|
|
|
Yogee
|
|
July 30, 2020, 04:57:18 AM |
|
Ive received too the security notice from Ledger, but checking in on their social media how to know if I were part of those. I think my information were safe. At first I thought the mailed was a spam email but checking the social media and it did sync in that they were breached.
If you received an official email from them, then you are one of the 9,500 customers affected by the hack. Please check the sender to be sure if it's actually from Ledger.
|
|
|
|
squatter
Legendary
Offline
Activity: 1666
Merit: 1196
STOP SNITCHIN'
|
|
July 30, 2020, 05:06:56 AM |
|
Can anyone from ledger users confirm here if ever you got emailed from them about the qoute aboved? I think they should aplogize to those 9500 users who were affected and give them compensation and assurance just in anycase their profile has been caught doing any illegal activity as scammer can used their details.
Ledger doesn't appear to have enough customer information for identity theft. The main concern is phishing given that that 1 million email addresses were compromised. There may be a theoretical chance of $5 wrench attacks, but since there is no association between Ledger customers and actual cryptocurrency holdings -- no way to target big holders -- the chances seem remote.
|
|
|
|
DdmrDdmr (OP)
Legendary
Offline
Activity: 2492
Merit: 11048
There are lies, damned lies and statistics. MTwain
|
|
July 30, 2020, 07:24:47 AM |
|
<...>
Ok, thanks. Good to know that those 9.500 customers involved in the personal data breach were explicitly informed on which specific data was involved. This was done through a second email, distinct from the one reflected in the OP, which was sent to the 1M breached emails. I’ve skimmed through the whole twitter conversation, and have found one reference from a person who allegedly bought his Ledger device 3 years ago, and received the above described second email. If the case is true, the pattern (which is not revealed) does not circumscribe to those that made a recent purchase (as some people speculated there).
|
|
|
|
mk4
Legendary
Offline
Activity: 2926
Merit: 3881
📟 t3rminal.xyz
|
|
July 30, 2020, 08:28:27 AM |
|
Ladies and gentlemen, if you have have been a customer of Ledger and you got their products delivered in your home, now might be the perfect time for you to learn about $5 wrench attacks.
|
|
|
|
Coyster
Legendary
Offline
Activity: 2198
Merit: 1306
Playbet.io - Crypto Casino and Sportsbook
|
|
July 30, 2020, 08:46:06 AM Last edit: July 30, 2020, 08:58:21 AM by Coyster |
|
Could it have been the work of "hackers" from government supported agencies which have more effective tools than $5 wrenches?
No, the chances it was the government who did this, hacking into the ledger system and stealing users email addresses is almost nil in my opinion, some governments obviously may not support crypto, but they also don't sell people's email addresses in the black market or try to scam through phshing mails, the hack surely is the work of scammers who have always targeted crypto (bitcoin) users ever since its value skyrocketed. Ladies and gentlemen, if you have have been a customer of Ledger and you got their products delivered in your home, now might be the perfect time for you to learn about $5 wrench attacks.
I'm so sure ledger users will be getting extremely paranoid atm, i also want to add that should the hackers sell this data to people who can actually do physical damage, it will be carried out many months from now, not at this time the issue is still 'hot topic', so those 'breached' users should up their guard, not just for the meantime, but for many months to come
|
|
|
|
mk4
Legendary
Offline
Activity: 2926
Merit: 3881
📟 t3rminal.xyz
|
|
July 30, 2020, 09:23:16 AM |
|
I'm so sure ledger users will be getting extremely paranoid atm, i also want to add that should the hackers sell this data to people who can actually do physical damage, it will be carried out many months from now, not at this time the issue is still 'hot topic', so those 'breached' users should up their guard, not just for the meantime, but for many months to come
Sure it's really likely that the database wouldn't be given to some criminals(or publicly leaked) today or tomorrow, but yea this is something people shouldn't set aside for the meantime and deal with it in the future instead; which I assume people are doing. Anyway, this shouldn't solely be a $5 wrench issue. The data being publicly available also means the government is going to know which people actually poses bitcoin and cryptocurrencies; which is also definitely a bad thing.
|
|
|
|
|