Ledger Security Notice - Ecommerce and Marketing data have been exposed

[dragonvslinux]

Received via email from Ledger (also see similar blogpost):

Security Notice - Ecommerce and Marketing data have been exposed - Your funds are safe.

Our ecommerce and marketing database leaked, we immediately fixed the breach. Contact and order details were involved. Your funds are safe.

What happened?

On the 14th of July 2020, a computer researcher that participated in our bug bounty program notified us of a potential data breach on the Ledger website. We immediately fixed the breach after receiving the researcher’s report and undertook an internal and external investigation of the situation. While conducting the investigation, we discovered an unauthorized third party had gained access to customer information.  

What personal information was involved?

Contact and order details were involved. This is mostly the email address of our customers. Further to investigating the situation we have also been able to establish that, for a subset of customers were also exposed: first and last name, postal address, phone number and ordered products. Due to the scope of this breach and our commitment to our customers, we have decided to inform all of our customers about this situation.

Payment information, credentials (passwords) or crypto funds are not impacted by this data breach. This data breach has no link nor impact on our hardware wallets and the Ledger Live application. Your crypto assets are safe and are not in peril.

What we have done, what we are doing

We have taken immediate action on 14th of July 2020, to resolve the data breach.

On the 17th of July, we notified the CNIL -- the French Data Protection Authority -- about this data breach and are continuing to work with authorities throughout the legal process.

We are continuously monitoring for evidence of our customers’ contact details being disclosed on the internet, and have found none thus far. We also performed an internal penetration test.

We are currently in the process of filing a complaint before the French public prosecutor regarding the unauthorized access and we will support law enforcement investigation.

We are extremely regretful for this incident. We take privacy very seriously, and we sincerely apologize for the inconvenience this matter may cause you.

What you can do

We recommend you exercise caution -- always be mindful of phishing attempts by malicious scammers.

As a reminder, Ledger will never ask you for the 24 words of your recovery phrase. If you receive an email that looks like it came from Ledger asking for your 24 words, you should definitely consider it a phishing attempt.

We suggest you visit Ledger Academy security section to educate yourself on general security principles and more precisely our article about phishing attacks.

Pascal Gauthier, Ledger CEO

For more information

Our blogpost about the data breach, and the FAQ to answer all your questions. For any additional information, you can directly contact our customer support.

To discover our Privacy Policy and understand what we do with your data, please click here.

If you have any questions, or want to exercise any of your rights granted by Applicable Laws and detailed in our Privacy Policy, please contact our data protection officer at privacy@ledger.fr.


Articles/posts:
Addressing the July 2020 e-commerce and marketing data breach — A Message From Ledger’s Leadership - Ledger
Data Breach at Crypto Wallet Firm Ledger Exposes User's Personal Info - CoinTelegraph
Crypto Wallet Ledger Loses 1M Email Addresses in Data Theft - CoinDesk

[1715606253]

1715606253

[1715606253]

1715606253

[1715606253]

1715606253

[1715606253]

1715606253

[Yabes]

Yeah, Fund must be save as long the "words" saved as well.

But... our data... who knows 

[dkbit98]

Bad news for Ledger Cult in bitcointalk forum.  
1 million customer emails leaked and 9500 detailed personal information leaked!
https://twitter.com/Ledger/status/1288452973811703810

I think it is more than what they say and I don't trust Ledger until I see more transparent detailed report.

[vapourminer]

I think it is more than what they say and I don't trust Ledger until I see more transparent detailed report.

they stated that your crypto is safe but i wonder if any coin addresses were leaked. just what people want, name, address and potentially the amount of crypto they own for sale to the highest bidders.

lovely

[Lucius]

No one wants bad people to get their hands on their data, and this is certainly something that will damage Ledger's reputation. As for me personally, e-mail is not something that is a problem for me, spam ends up automatically in the trash anyway - but I'm more worried about these 9500 customers whose complete data has been stolen.

I also received an e-mail notification, but I would also like to know if I am one of those 9500 unfortunates whose data will be sold on the black market. I have not received any extra spam in my email so far, and Ledger says that they are not found stolen information being offered or sold anywhere on the internet.

[ranochigo]

It's bad news for a company that is supposed to protect the user's funds.

However, being a hardware wallet, no addresses nor funds or any sort of sensitive information pertaining to the user's hardware wallet should be leaked. Hardware wallets shouldn't communicate such information with a centralised server for the sake of security. It's highly likely that what they're saying is true.

Anyhow, the main concern right now is the spear phishing attacks that could be initiated against the users with the information that was obtained from the data breach.

[vapourminer]

However, being a hardware wallet, no addresses nor funds or any sort of sensitive information pertaining to the user's hardware wallet should be leaked. Hardware wallets shouldn't communicate such information with a centralised server for the sake of security. It's highly likely that what they're saying is true.

the hardware wallet needs to send the actual coin addresses to ledgers servers so you can see the balance on that address. that info possibly getting out, the amount of coin someone has control of, is worrisome to say the least.

at the very least i would move everything to a new wallet (new seed etc) just so when someone looks up that addy all they will see if what it did have. of course its possible to trace the coins to the new addys.

sucks big time all around.

[ranochigo]

the hardware wallet needs to send the actual coin addresses to ledgers servers so you can see the balance on that address. that info possibly getting out, the amount of coin someone has control of, is worrisome to say the least.

at the very least i would move everything to a new wallet (new seed etc) just so when someone looks up that addy all they will see if what it did have. of course its possible to trace the coins to the new addys.

sucks big time all around.

It says the Ledger Live isn't affected. You're right that Ledger Live does require the addresses being sent to the server and that is indeed quite worrying. I would have expected them to at the very least utilize bloom filters to try to protect their privacy. I don't have the time to review their code right now so I can't really see how the information is exchanged.

Hopefully, people are using third party software like Electrum instead of their own Ledger Live.

[hugeblack]

@OP You seem to be one of those affected by this leaked, so you got the message.

We’ve sent a second email to all 9500 affected customers for whom our data showed personal details were leaked. This email specify which data are involved.

Source ---> https://twitter.com/Ledger/status/1288452973811703810

The strange thing is why do they keep this data? You are a company that promotes privacy and sells products to protect money.
It may be used in marketing and market data analysis, but what is the need for "personal details" data storage?

The dangerous thing is that they haven't been informed until after a few days have passed, it's personal data so it's best for people to know early about it being leaked. This is the second time that they have done so, and most of those who discover them errors are people outside the company.

[bitmover]

I think it is more than what they say and I don't trust Ledger until I see more transparent detailed report.

they stated that your crypto is safe but i wonder if any coin addresses were leaked. just what people want, name, address and potentially the amount of crypto they own for sale to the highest bidders.

lovely

Possibly affiliates data were leaked as well.
Affiliates share their bitcoin address, real name   and documents to receive payments. Most probably, those address are within a ledger nano wallet. And an address might be connect to other address in the same wallet....

[dragonvslinux]

@OP You seem to be one of those affected by this leaked, so you got the message.

We’ve sent a second email to all 9500 affected customers for whom our data showed personal details were leaked. This email specify which data are involved.

Source ---> https://twitter.com/Ledger/status/1288452973811703810

Thanks for pointing that out, I had assumed as much, but good to know!

I'm more worried about what @ranochigo just referenced than a fake name at an old address with an irrelevant email address. My email address & details will no doubt be sold to the highest spammer, but this wouldn't be the first time, it's basically what I use it for  . Shit happens, but funds are safu. A leaky server is never a good sign though, this is the main point.

The strange thing is why do they keep this data? You are a company that promotes privacy and sells products to protect money.
It may be used in marketing and market data analysis, but what is the need for "personal details" data storage?

The dangerous thing is that they haven't been informed until after a few days have passed, it's personal data so it's best for people to know early about it being leaked. This is the second time that they have done so, and most of those who discover them errors are people outside the company.

This is admittedly is a better question, why are they keeping personal data of their hardware wallet owners in the first place, it's pretty sketchy.
It's almost certainly for marketing purposes, like when everyone else does it, so the only real risk/issue is that it gets hacked.... which just happened 
Now they will be sold to some other marketer is the likelihood, like a merry go round.

[Pmalek]

I hope that whoever gets his hands on the leaked data doesn't go and bother my friend who received my Ledger wallet in a completely other country. He is a bulky one, very hard to attempt a $5 wrench attack on him. I am going to warn him just in case.

Did everyone receive the same email as copied on the OP, or anyone here that received a different one highlighting that all their details have been exposed?
 

[o_e_l_e_o]

There is no requirement to give a real name, address, phone number, email, or any other personal information when buying from Ledger. You can give them any credentials you like and ship it to a PO Box or drop off location and pay in anonymized bitcoin. I would suggest doing this for all sensitive purchases to protect you privacy.

As outlined by their Privacy Policy (https://shop.ledger.com/pages/privacy-policy), you can request that they remove/erase the data they hold on you. This is probably easier if you are a EU Citizen and under GDPR. You should consider doing this for any merchant or service that have no need to continue to hold your information, including any old exchange or web wallet accounts.

I suggested this after the last suspected data breach a few months ago. If you haven't done it yet, do it now. It's not a matter of if there's another data breach - it's only a matter of when. Start deleting your data from anywhere and everywhere you can.

Worth noting that both Ledger and Trezor allow you to request that they erase any details they hold about you from their databases. Although obviously too late for this hack (if it turns out to be true), it would still be worthwhile erasing your details from their databases.

You have the right to request access to your Personal Data, their rectification or erasure, as well as the right to request the restriction of the processing or to object to the processing.

Under Article 15 to 21 of the GDPR, you have the following rights that you are entitled to apply to the collector:

• Right of access,
• Right to rectification,
• Right to erasure,
• Right to restriction of processing,
• Right to object.

A reminder to always be very careful about giving out your personal details to anyone, even companies which are as well known as Ledger and Trezor.

According to this reddit post, here is the text of the email sent to individuals who have had more than their email addresses leaked:

Dear client,

On the 14th of July 2020, a computer researcher that participated in our bug bounty program notified us of a potential data breach on the Ledger website. We immediately fixed the breach after receiving the researcher’s report and undertook an internal and external investigation of the situation. While conducting the investigation, we discovered an unauthorized third party had gained access to customer information.

While the majority of the data breach concerned email addresses, we regret to inform you that you are part of the approximately 9500 customers whose detailed personal information were accessed by the unauthorized third party. Specifically, your name and surname were exposed.

This data breach is not linked to our hardware wallets’ security and your cryptocurrency funds are safe. Due to our detailed security measures, attackers cannot steal your sensitive information like your recovery phrase and private keys. You are the only one in control and able to access this information.

We deeply apologize for this security breach and are working with law enforcement to undergo an investigation

Pascal Gauthier, Ledger CEO

[Lucius]

Does that mean you're not affected if you only got 1 email? Ledger's statement is a bit confusing.

I think everyone who has ever bought something on ledger.com or is in any way subscribe to that site is get security notice - this is written at the bottom of the received e-mail. Therefore, for most there is no real danger - especially if the e-mail you used cannot be linked to your identity in any way.

It says the Ledger Live isn't affected. You're right that Ledger Live does require the addresses being sent to the server and that is indeed quite worrying. I would have expected them to at the very least utilize bloom filters to try to protect their privacy. I don't have the time to review their code right now so I can't really see how the information is exchanged.

Hopefully, people are using third party software like Electrum instead of their own Ledger Live.

It would be really stupid if Ledger used the same data servers that were hacked for Ledger Live users - I think it should be separate from each other. That severs (for connecting Leger Live) really record our addresses and transactions (same as Electrum servers do), but Ledger say they not log our IP address.

Earlier, the question was asked that each Ledger device might have a unique digital fingerprint that could link the owner's addresses and transactions to the data used in the purchase - but Ledger says such a thing is not possible.

greweb
Ledger Live Lead Developer
this is not the identifier of your Nano S but related to the firmware update process. There is actually no way to identify a given Nano S, there is no serial number, 2 nano S with the same seed are identical from technical perspective

[dkbit98]

Take note that they CloudFlare, which also prevent Tor users from using Ledger Live (according to reddit discussion about a year ago).

I guess we can use vpn without any issues, but that Legder Live software is buggy beta product for experimenting with shitcoins and staking.
People use Electrum, I know.

[o_e_l_e_o]

Therefore, for most there is no real danger - especially if the e-mail you used cannot be linked to your identity in any way.

Most people use the same email for everything, and many people fall for phishing scams. If this email list is sold, then the addresses on it are going to be bombarded with a variety of official looking scam emails. Some people will undoubtedly lose their coins due to this.

but Ledger say they not log our IP address.

They also say that they "implement appropriate physical, electronic and organizational procedures to safeguard and secure personal data", which is obviously not the case. You should work under the assumption Ledger Live is logging your IP address for your own safety.

Take note that they CloudFlare, which also prevent Tor users from using Ledger Live (according to reddit discussion about a year ago).

Still the case. No reason they couldn't configure CloudFlare or run a .onion mirror, but they have never shown any interest in doing so unfortunately.

[Lucius]

Most people use the same email for everything, and many people fall for phishing scams. If this email list is sold, then the addresses on it are going to be bombarded with a variety of official looking scam emails. Some people will undoubtedly lose their coins due to this.

This cannot be disputed, some people unfortunately think that it is possible to have only one e-mail, which is of course a big misconception. I also have no doubt that some Ledger users will fall victim to a scam despite all the warnings, but now the only thing left is to repair the damage as much as possible.

They also say that they "implement appropriate physical, electronic and organizational procedures to safeguard and secure personal data", which is obviously not the case. You should work under the assumption Ledger Live is logging your IP address for your own safety.

It is wisest to re-examine everything that is served to us as the truth, and assume that it is just the opposite. Such omissions actually reveal that something is not as it is trying to present to the public - this should not have happened to a company that deals with something so security sensitive as cryptocurrencies.


Does anyone know the legal possibilities of those whose complete data has been stolen in case something bad happens to them? Is there a legal basis for a claim for damages, or perhaps on some other basis?

[HCP]

Does anyone know the legal possibilities of those whose complete data has been stolen in case something bad happens to them? Is there a legal basis for a claim for damages, or perhaps on some other basis?

Without having actually looked... I'd be very surprised if there wasn't the standard "We are not liable for any losses incurred by using our website, devices, systems etc" disclaimer buried in their Terms of Service somewhere.


Indeed... (after I actually went and looked it up) from the website Terms of Use:

...
Crypto assets are volatile. You should be fully aware of the level of risk involved before engaging in crypto-related activities. Any loss of data, crypto assets or profit is your sole responsibility.
...

And then the Ledger Live Terms of Use:

Limitation of liability
YOU EXPRESSLY UNDERSTAND AND AGREE THAT LEDGER AND ITS DIRECTORS AND EMPLOYEES SHALL NOT BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA, COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR OTHER INTANGIBLE LOSSES, RESULTING FROM: (I) THE USE OR INABILITY TO USE THE SERVICES (II) ANY CHANGES MADE TO THE SERVICE OR ANY SUSPENSION OR CESSATION OF THE SERVICES OR ANY PART THEREOF; (III) THE UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR TRANSMISSIONS OR DATA; (IV) THE DELETION OF, CORRUPTION OF, OR FAILURE TO STORE AND/OR SEND OR RECEIVE YOUR TRANSMISSIONS OR DATA ON OR THROUGH THE SERVICE; AND (V) ANY OTHER MATTER RELATING TO THE SERVICE.

THE ABOVE LIMITATIONS DO NOT APPLY IN RESPECT OF LOSS RESULTING FROM (A) LEDGER’S FRAUD, WILFUL MISCONDUCT OR GROSS NEGLIGENCE, WILFUL MISCONDUCT OR FRAUD; OR (B) DEATH OR PERSONAL INJURY.

And then the Sales Terms:

ARTICLE 8 – LEDGER’S LIABILITY
TO THE FULLEST EXTENT PERMITTED BY LAW, LEDGER DISCLAIMS ANY AND ALL LIABILITY FOR LOSS OF PROFITS, INCOME, VALUE OR DATA, OR INDIRECT, SPECIAL, CONSEQUENTIAL, EXEMPLARY OR PUNITIVE DAMAGES.

YOU ARE SOLELY RESPONSIBLE FOR THE COMPLIANCE WITH THE TERMS OF USE AND THE INSTRUCTIONS PROVIDED IN THE USER MANUALS.

TO THE FULLEST EXTENT PERMITTED BY LAW, LEDGER’S TOTAL LIABILITY FOR ANY CLAIM ARISING FROM THESE TC’s, INCLUDING ANY IMPLIED WARRANTIES, IS LIMITED TO THE AMOUNT YOU PAID TO PURCHASE THE PRODUCT.
....

Basically, they refuse to accept any liability for anything... but that's fairly standard "boilerplate" stuff for pretty much any company

Although, the "Gross negligence" part could possibly be argued, but that depends on the exact details of the flaw/breach that led to the data being leaked and whether it could be considered gross negligence I guess...