Ledger 1 Mln Users Data Under Attack

[bitcoinst]

Ledger Hardware Crypto Wallet Team Disclosed Data Breach, 1 Mln Users' Data Under Attack

July 29, 2020, the team behind the Ledger products revealed that a critical vulnerability had been disclosed two weeks ago in the Ledger e-commerce database.
It has mostly affected the email addresses of Ledger purchasers, but it has also affected some personal information.

As announced by the Ledger team in their recent official statement, a participant in the Ledger bounty program contacted them on July 14 with information about a security breach.
It was immediately fixed, but then the experts disclosed that the system had been further exploited on June 25.

A third-party attacker accessed the segments of e-commerce and promotional databases holding the email addresses of customers.
Additionally, 9,500 users were exposed to a leak of order details: name, street address, phone number and the details of what they ordered.

During the investigation, Ledger's officers found out that the malefactor abused the API key. This API key was immediately deactivated and is no longer accessible.



https://cryptocomes.com/news/ledger-hardware-crypto-wallet-team-disclosed-data-breach-1-mln-users-data-under-attack

[1715178945]

1715178945

[1715178945]

1715178945

[1715178945]

1715178945

[1715178945]

1715178945

[1715178945]

1715178945

[wxa7115]

This is without a doubt very troubling information, even if they are assuring their customers their funds are safe and I think they are right, several attack vectors are now opened, first of all 9500 people are going to at least be exposed as holders of cryptocurrencies and their identities could be stolen and sold on the black market, I wonder why ledger does not delete personal information from their servers after a few weeks or months to limit the scope of a possible data breach like this one.

The second issue is that we are bound to see a bunch of phishing attacks against ledger customers asking for their private keys or their seed words and unfortunately many will fall for it losing a fortune in the process.

And finally the reputation and the sales of ledger will suffer, anyone on the fence thinking about whether they will get a ledger or a trezor will probably prefer to pick a trezor until things calm down.

[hatshepsut93]

People have been saying "just buy a hardware wallet" for a long time, but it has always been less than a perfect solution, because some centralization and trust has always been involved, and now it was abused. Now potential burglars and kidnappers have a list of people who own some bitcoins, and something like this will never happen with a software wallet, because it doesn't ask you for your personal information during installation.

IMO and old PC with live OS like Tails is the best cold storage you can get.

[HardFacts]

Do not worry !!!   Your BitCoins are absolutely safe, nothing to see here     Yes, they know EXACTLY what the hackers got, and are being TOTALLY HONEST about it  

Everyone can sleep well and not worry, they will take good care of you !!!

Hard Facts

[desticy]

Do not worry !!!   Your BitCoins are absolutely safe, nothing to see here     Yes, they know EXACTLY what the hackers got, and are being TOTALLY HONEST about it  

Everyone can sleep well and not worry, they will take good care of you !!!

Hard Facts

Is it just me or did you say Ledger is centralised? Do you think anyone would use Ledger wallet if the data of private keys and user access keys were stored on their servers?
Hardware wallets store private keys internally, which eliminates the possibility of users' private keys leaking into the network.

The point is that only you own the keys to your wallet, which means that all that hackers can get is your geo data (if you entered it) and your email.
Those whose data has leaked now should be wary of phishing emails.

[20kevin20]

People have been saying "just buy a hardware wallet" for a long time, but it has always been less than a perfect solution, because some centralization and trust has always been involved, and now it was abused. Now potential burglars and kidnappers have a list of people who own some bitcoins, and something like this will never happen with a software wallet, because it doesn't ask you for your personal information during installation.

IMO and old PC with live OS like Tails is the best cold storage you can get.

I highly doubt all these people have a lot of money stored on their Ledger. As a burglar, choosing someone off this list could be a very big hit or, more likely, a very big miss.

I mean, you could get a Legder from authorized resellers without having to fill any personal detail. This is still an option. The customer leak could happen to any other shop just as easily. There can't really be online shops without trust and centralization.

[Mpamaegbu]

From all indications what this hack has proved is that no system made by man is fool proof. If man makes it, man can also break it. Before now a lot of people were up defending Ledger as the best hardware crypto wallet and the best thing to have happened to man after the discovery of bread and butter. Now we know that ledger is also vulnerable. However, I sincerely hope its customers are safe with all the leaked addresses and emails. At least, they don't have to be looking at their shoulders to check who is trailing them or not.

[bolawin]

if your email is leaked, expected to see alot of spam investment offer on your inbox 

[aundroid]

If you haven't received another mail until 5 pm CET today, at least you don't belong to the 9500 customers whose personal informations have been leaked.
This was announced by the official Ledger Twitter account today.

source

There is now also a FAQ section on the website: https://support.ledger.com/hc/en-us/articles/360015559320?s=09

[Bitstarzisascam]

Now we're going to hear news that people getting robbed and threatened to hand their ledger and the keys. 

[LogitechMouse]

~

So you are saying that whenever you use a hardware wallet, your Bitcoins are now being put in a centralized entity like the Ledger owner??

The fact that you have your own keys is a proof that what you are saying is nothing close to the topic being shared here. Its just the personal information that is being leaked and nothing related to the holdings of investors, private keys etc.

The only problem with this is when these hackers will send some phishing links to different emails then that is the time when they will be hacked if they fall to these traps.

[bbc.reporter]

if your email is leaked, expected to see alot of spam investment offer on your inbox 

Also, assume that your name, phone no. and postal address information to be somewhere in the darknet together with 999,999 other names and other information hehehe.

The hackers should create a darknet public contacts list similar to a phonebook hehe.

[pixie85]

Now we're going to hear news that people getting robbed and threatened to hand their ledger and the keys. 

You think that someone will break into your house and attack you because they know you bought a ledger? Most of ledger users have more valuable stuff in their houses than on their wallets. How are you going to know if:

The buyer bought it for themselves and not to give away or sell?
The buyer holds a lot of coins?

You could end up breaking into someone's home and risking getting shot or stabbed to learn that they sold it, gave it to a friend or have just $1000 or something like that in cryptocurrencies. The wedding rings most people have on their fingers all the time can be worth more than that.

I have a ledger and it wasn't bought on their site so I don't care.

[philipma1957]

Now we're going to hear news that people getting robbed and threatened to hand their ledger and the keys.  

You think that someone will break into your house and attack you because they know you bought a ledger? Most of ledger users have more valuable stuff in their houses than on their wallets. How are you going to know if:

The buyer bought it for themselves and not to give away or sell?
The buyer holds a lot of coins?

You could end up breaking into someone's home and risking getting shot or stabbed to learn that they sold it, gave it to a friend or have just $1000 or something like that in cryptocurrencies. The wedding rings most people have on their fingers all the time can be worth more than that.

I have a ledger and it wasn't bought on their site so I don't care.

You make a very good point here which is being missed by most posters.

To bring up a similar case of compromised email. Bitmain was hacked and thousands of customers emails home addresses and gear purchased was leaked.

I purchased 100 plus pieces of bitmain gear. Does that hack mean many people will come to my home?
Not likely.   But if I owned a ledger I would not have all my coins on it any more.

[OcTradism]

Is it official news on data breach and I don't know the severity of the breach. It need more time to confirm how serious it is but what I see from the news. 1 mil. users is the number is reported but we don't know the real one, how big it is.

The only one thing I see and learn from it is "Not your keys, not your bitcoin".

What to do next, from now if you care about your funds and such same breach in the future (not only on Ledger but also on any other exchanges or platforms)?
- Avoid KYC as much as possible: Why KYC is extremely dangerous – and useless
- Try to use good non-custodial wallets as Electrum because you will have full control of your private keys, wallets and funds. Be your own bank this way.

[Wexnident]

If you haven't received another mail until 5 pm CET today, at least you don't belong to the 9500 customers whose personal informations have been leaked.
This was announced by the official Ledger Twitter account today.

source

There is now also a FAQ section on the website: https://support.ledger.com/hc/en-us/articles/360015559320?s=09

The announcement is nice and all but hmm, wouldn't some people take advantage of this and send spam mail? I mean, IF just if they were able to access a duplicate copy of the email and send them towards the affected, they could potentially dupe them into clicking their scam site or something. That is, providing they don't really read the email carefully and notice that the emailw as a fake ledger email. Though chances are small, there's still a chance.

~

Such information would rather be used on scamming people imo. Looking up their identity, creating fake accounts, setting up the scheme and etc. would be the action hackers would've done instead of robbing houses. Hackers are hackers for a reason, they fight on the internet, not in the real world. And besides, I don't think I've heard of robbing that required so many details. Just the fact that you needed to ask the person his ledger key is enough of a reason to doubt whether you should even do it since it's a huge risk, compared to a normal robbery where you just take as much money or jewels in the house as possible.

[crwth]

I have received an email with regards to that, so I'm quite thankful, in a way, to know that they are handling it carefully and letting people know the current situation. Because of the fact that many people need to give an address and name to get your device, it's inevitable, and it is all because of the security and bugs in the system. At least they are doing bug bounty programs for improvement and found that bug.

You can't get the ease of use when having a hardware wallet compared to creating an air-gapped laptop and opening it continuously just to transact.

[ranochigo]

The announcement is nice and all but hmm, wouldn't some people take advantage of this and send spam mail? I mean, IF just if they were able to access a duplicate copy of the email and send them towards the affected, they could potentially dupe them into clicking their scam site or something. That is, providing they don't really read the email carefully and notice that the emailw as a fake ledger email. Though chances are small, there's still a chance.

That's specifically what the leaked information would be used for. Given the sensitive information being leaked, attackers could potentially use the information to craft a more personalised phishing emails for the victims. Even if it isn't, the sensitive information could also be used in SE attacks against companies.

Fortunately, the data breach is not that severe, only impacting their merchant information. At the same time, I don't think its necessary for Ledger (or any other hardware wallet manufacturer) to keep sensitive information of their customers for long periods of times. I would have expected information to be scrubbed regularly.

[squatter]

Does anyone have some information on what the more detailed email contains for one of the 9,500 that have been affected? I assume it is something along the lines of your personal data was one of the few taken, blah blah blah, investigators are on the case, etc etc.

I found this on Reddit:

Security Notice - Your detailed personal information has been exposed

Dear client,

On the 14th of July 2020, a computer researcher that participated in our bug bounty program notified us of a potential data breach on the Ledger website. We immediately fixed the breach after receiving the researcher’s report and undertook an internal and external investigation of the situation. While conducting the investigation, we discovered an unauthorized third party had gained access to customer information.

While the majority of the data breach concerned email addresses, we regret to inform you that you are part of the approximately 9500 customers whose detailed personal information were accessed by the unauthorized third party. Specifically, your name and surname were exposed.

This data breach is not linked to our hardware wallets’ security and your cryptocurrency funds are safe. Due to our detailed security measures, attackers cannot steal your sensitive information like your recovery phrase and private keys. You are the only one in control and able to access this information.

We deeply apologize for this security breach and are working with law enforcement to undergo an investigation

Pascal Gauthier, Ledger CEO

The person who received this email only had their name leaked. I assume others will have received emails stating that their phone numbers or home addresses were compromised too.

[UserU]

if your email is leaked, expected to see alot of spam investment offer on your inbox  

In times like these, I wouldn't mind multiplying my Bitcoin with the likes of Elon Musk

[Kakmakr]

Do not worry !!!   Your BitCoins are absolutely safe, nothing to see here     Yes, they know EXACTLY what the hackers got, and are being TOTALLY HONEST about it  

Everyone can sleep well and not worry, they will take good care of you !!!

Hard Facts

Wrong, so so wrong.

When information like your email address and also your physical address are compromised, you are vulnerable to several kinds of attacks. Let me give you some examples:

1. Phishing attacks : Now that these people have these email addresses, they know who owns Ledger hardware wallets and they can customize specific attacks just for that individual. It will look very legit, because only the company would have known your personal data.

2. You are also vulnerable to physical attacks, because these people know your physical address and they might come to visit you, if they live in the same country.

This is much bigger than what Ledger is making it out to be, luckily for me I never store any coins at my physical address.. so they will not find anything at my home address. 

[Wind_FURY]

I believe we can also have a different, a more positive perspective from the hack. There are 1 MILLION BITCOIN USERS/HODLERs with Ledger wallets. MORE with other wallets. That's bullish.

[witcher_sense]

I am requesting a complete guide on how to buy hardware wallets in most possible secure way. For example, it could include the information regarding how to properly register on website, recieve wallets, how to pay for them without exposing your real identity to undesirable third parties. Should we use temp email addresses and temp credentials for that? How to recieve packages anonymously? What is the best way to do that? Should we use properly mixed coins for buying hardware wallets? Please note, the only goal of all of that is to preserve our privacy, safety, financial sovereignty, it should not be used to facilitate any illegal activities.

Does anyone have some information on what the more detailed email contains for one of the 9,500 that have been affected? I assume it is something along the lines of your personal data was one of the few taken, blah blah blah, investigators are on the case, etc etc.

There is no information on whether the 9.500 customers that have had their personal data breached, have or have not been explicitly notified of this fact.

They specified this on Twitter:

If you are part of the approximately 9500 customers whose detailed personal information - name surname, postal address or phone number - were accessed by the unauthorized third party you have been notified 30 minutes ago.

I guess you can breathe easy if you haven't received an email specifying that you were part of the smaller breach.

[cryptomaniac_xxx]

And Trezor trolling, LOL,



https://twitter.com/Trezor/status/1288463431750885383

[Zackgeno96]

Ledger Hardware Crypto Wallet Team Disclosed Data Breach, 1 Mln Users' Data Under Attack
A third-party attacker accessed the segments of e-commerce and promotional databases holding the email addresses of customers.
Additionally, 9,500 users were exposed to a leak of order details: name, street address, phone number and the details of what they ordered.

Now a lot of customers will be getting spam in their inboxes about new updates of the wallet along with the links to download those updates. I have seen this a lot of times when the spammers use these data breaches to send the spam mails and the ignorant users fall in these traps pretty easily.

Should we use temp email addresses and temp credentials for that? How to recieve packages anonymously? What is the best way to do that? Should we use properly mixed coins for buying hardware wallets? Please note, the only goal of all of that is to preserve our privacy, safety, financial sovereignty, it should not be used to facilitate any illegal activities.

Temporary mails aren't necessary, you can create a separate email for this purpose only. You can have those packages dropshipped and then that service can send you the package after receiving it.
I prefer to send my bitcoins to an exchange which doesn't require any KYC and then let them stay there for a week or two before ordering anything and then send those coins to a new wallet while using proxies or a VPN and then send the bitcoins for ordering what I was about to order. By doing this I satisfy my paranoid nature of leaking any information online.

[carlisle1]

Ledger Hardware Crypto Wallet Team Disclosed Data Breach, 1 Mln Users' Data Under Attack




https://cryptocomes.com/news/ledger-hardware-crypto-wallet-team-disclosed-data-breach-1-mln-users-data-under-attack

Good that ledgers action is faster than what their clients need.
imagine  the safest  wallet  in  the  world is under  attack?this is much stupid action from this hackers.

I believe we can also have a different, a more positive perspective from the hack. There are 1 MILLION BITCOIN USERS/HODLERs with Ledger wallets. MORE with other wallets. That's bullish.

and this is only proving that everything in crypto is a target.but i'm sure this will never happen again and  with 1 minute breach they can do anything  under the sun.

if your email is leaked, expected to see alot of spam investment offer on your inbox 

In times like these, I wouldn't mind multiplying my Bitcoin with the likes of Elon Musk

And  seeing the advertisement in youTube from time to time?lol

[LeGaulois]

...At the same time, I don't think its necessary for Ledger (or any other hardware wallet manufacturer) to keep sensitive information of their customers for long periods of times. I would have expected information to be scrubbed regularly.

I can think of a couple of reasons, the company's accounting since it is supposed to record everything (payment details,date, and so on). And in France companies must conserve such information for a 10-year period.

But also simply to be able to provide assistance to the customer. I mean for example if you have to be reimbursed for your wallet (for x reason), they have to keep a trace of your order (including your name, method of payment or other).

Otherwise how else could they be sure that you actually bought it on their store and not on Amazon for exemple.

[bitcoinst]

That's specifically what the leaked information would be used for. Given the sensitive information being leaked, attackers could potentially use the information to craft a more personalised phishing emails for the victims. Even if it isn't, the sensitive information could also be used in SE attacks against companies.

Phishing is phishing, whether targeted or spontaneous.
You can fall for phishing only through your own fault, no matter how clever it is. We have all the tools to check any link or any information that comes to your email.

Fortunately, the data breach is not that severe, only impacting their merchant information. At the same time, I don't think its necessary for Ledger (or any other hardware wallet manufacturer) to keep sensitive information of their customers for long periods of times. I would have expected information to be scrubbed regularly.

Logically yes, but in practice we don't know what Ledger does with our data. Some of the employees may sell the database, or the company's shadow policy itself may correspond to this.
We cannot know this, so it is useful to assume such things. Too many companies sell their customer data to others.

[Lucius]

And Trezor trolling, LOL,



https://twitter.com/Trezor/status/1288463431750885383

There is a saying that it is not nice to look forward to someone else's misfortune, because sooner or later the same thing (or something worse) can happen to you. But those who follow the relationship between the two companies know that business competition has long since become more than that. In any case, a good marketing move.

I believe we can also have a different, a more positive perspective from the hack. There are 1 MILLION BITCOIN USERS/HODLERs with Ledger wallets. MORE with other wallets. That's bullish.

We've known this before, according to the Ledger website 1 500 000 Ledger wallets already sold, but given the several different devices the company has produced, some have bought more than one - so the number of unique users is probably less than 1 million (regardless of the 1 million email addresses that were stolen).

[wxa7115]

People have been saying "just buy a hardware wallet" for a long time, but it has always been less than a perfect solution, because some centralization and trust has always been involved, and now it was abused. Now potential burglars and kidnappers have a list of people who own some bitcoins, and something like this will never happen with a software wallet, because it doesn't ask you for your personal information during installation.

IMO and old PC with live OS like Tails is the best cold storage you can get.

The safest option is by far a paper wallet, if you have a clean OS that is never connected to the Internet and a dumb printer then you could print your wallets with no issue, the problem is that they are very impractical for daily use but you could always have a wallet with some funds for your daily expenses.

Hardware wallets were supposed to be the best of both worlds, a device that was completely secure and that you could use whenever you want, but now that we have found out that ledger does keep the information of their clients for who knows how long that certainly weakens the security aspect of it and you are probably better off with a paper wallet until ledger and other hardware wallet providers change their policies regarding their data retention practices.

[hatshepsut93]

The safest option is by far a paper wallet, if you have a clean OS that is never connected to the Internet and a dumb printer then you could print your wallets with no issue, the problem is that they are very impractical for daily use but you could always have a wallet with some funds for your daily expenses.

Hardware wallets were supposed to be the best of both worlds, a device that was completely secure and that you could use whenever you want, but now that we have found out that ledger does keep the information of their clients for who knows how long that certainly weakens the security aspect of it and you are probably better off with a paper wallet until ledger and other hardware wallet providers change their policies regarding their data retention practices.

I think the phrase "paper wallet" is very misleading, because paper is just a method of storing the private key. You can't use paper to send Bitcoin or create a new address. You'll always end up using a software or hardware wallet to use the coins stored on paper. So, there's really only 2 kinds of wallets - software and hardware. "Paper wallets" can be created with both kinds.

"Paper wallets" also have some downsides, especially for newbies - a lot of them are offered via websites, and websites can't be audited as well as open source software from a repository. This is why one of the sites that offers paper wallet creation is malicious and steals users funds, but it was hard to prove.

[The Cryptovator]

I have noticed this story from the email notification yesterday. It was quite surprising to me from such as a reputed crypto wallet company. Because crypto users use the Ledger wallet to keep their fund safe and protect their privacy as well. So if they can't keep safe user's privacy then it's really regrettable for us. But the good thing is they disclosed the issue in front of their users instead of hiding or misled. So the user could determine what they should do like change credential. But not expected it from Ledger.

[pixie85]

You make a very good point here which is being missed by most posters.

To bring up a similar case of compromised email. Bitmain was hacked and thousands of customers emails home addresses and gear purchased was leaked.

I purchased 100 plus pieces of bitmain gear. Does that hack mean many people will come to my home?
Not likely.   But if I owned a ledger I would not have all my coins on it any more.

Of course nobody is going to come after you because they wouldn't know where to look. You could be a retailer or a middle man for some mining farm owner. Most likely the gear wouldn't even be at your house, same as Bitcoins. Even if they had all the dates of purchase, in this business 6 months is a lot of time.

Thinking like that would make every celebrity or a successful CEO live in a bunker and have bodyguards patrolling the garden 24/7. All rich people would have to live like one of those cocaine bosses from South America.

I don't have all my coins on my Ledger, but I feel pretty safe knowing that the private keys are unaccessible. Probably the weakest point is the software from Ledger that you install on your PC to access the wallet.

[kawetsriyanto]

Ledger Hardware Crypto Wallet Team Disclosed Data Breach, 1 Mln Users' Data Under Attack

Even Ledger, which is considered very safe, still has a gap to hack. of course they are not ordinary hackers but really professional so they want to test their skills. grateful if the Ledger quickly gets the information and immediately handle it. But it does not rule out the possibility that hackers will return with a more violent attack. therefore, in this case, Ledge has certainly learned from previous difficulties. And they will be even more active in covering the security of their hardware.

[UserU]

And  seeing the advertisement in youTube from time to time?lol

You mean those giveaway videos? I hardly come across those, but there are some ads with a self-claimed "marketing guru" who keeps telling the viewers to stop watching YouTube videos and start making money on the Internet. That one is annoying as hell.

[bbc.reporter]

Now we're going to hear news that people getting robbed and threatened to hand their ledger and the keys.  

You think that someone will break into your house and attack you because they know you bought a ledger? Most of ledger users have more valuable stuff in their houses than on their wallets. How are you going to know if:

The buyer bought it for themselves and not to give away or sell?
The buyer holds a lot of coins?

You could end up breaking into someone's home and risking getting shot or stabbed to learn that they sold it, gave it to a friend or have just $1000 or something like that in cryptocurrencies. The wedding rings most people have on their fingers all the time can be worth more than that.

I have a ledger and it wasn't bought on their site so I don't care.

You make a very good point here which is being missed by most posters.

To bring up a similar case of compromised email. Bitmain was hacked and thousands of customers emails home addresses and gear purchased was leaked.

I purchased 100 plus pieces of bitmain gear. Does that hack mean many people will come to my home?
Not likely.   But if I owned a ledger I would not have all my coins on it any more.

There is also another form of an old, public information source where criminals can take your name, address and phone no. and it is readily available.



This is a telephone directory. It never caused anyone to break into houses hehehe.

[Yaunfitda]

I remember @mk4 post here, Ledger(and Trezor) hardware wallet owners: heads up | EDIT: (debunked). And as per update, they say that they are not hacked and that this rumour is not true. But I think this is the the same breach reported in May. Not very good for Ledger image here, sad to say. They should have admit it right away and not they are looking very shady because of this move.

[mace15]

I have noticed this story from the email notification yesterday. It was quite surprising to me from such as a reputed crypto wallet company. Because crypto users use the Ledger wallet to keep their fund safe and protect their privacy as well. So if they can't keep safe user's privacy then it's really regrettable for us. But the good thing is they disclosed the issue in front of their users instead of hiding or misled. So the user could determine what they should do like change credential. But not expected it from Ledger.

I have also received an email the other day that they are having trouble about ledger wallet that data is under attack. This is the first time I have also heard that a reputable wallet experience this kind of problem. Though I’m also using this wallet for long and I haven't encountered any problem during these times of storing my crypto asset in this wallet. So let's always watch out the news from ledger as this has also many users will be affected.

[Wind_FURY]

And Trezor trolling, LOL,



https://twitter.com/Trezor/status/1288463431750885383

Hahaha! Or another good security practice could also be, to back up e-shop database to an offline database, then purge their e-shop database after less than 90 days.

[erikoy]

This is very bad to all expose users data. It can be use in criminal activities of the scammers. There are many of this kind of activity especially in social media like facebook copying details of others and then use it for scamming.

This breach likely has its purpose and there is so many wa it can be use. Hopefully that it can't affect innocent users on their criminal activities or even scamming the user through block mailing and other forms. And also that the responsible for hacking will get caught.

[Yey09]

Sometimes cold wallets could be even dangerous than software ones

[cryptomaniac_xxx]

And Trezor trolling, LOL,
[]

There is a saying that it is not nice to look forward to someone else's misfortune, because sooner or later the same thing (or something worse) can happen to you. But those who follow the relationship between the two companies know that business competition has long since become more than that. In any case, a good marketing move.

Yes, a good marketing and PR move from Trezor. Their competition really goes down deep, and it's pretty obvious that they are aiming at it.

Hahaha! Or another good security practice could also be, to back up e-shop database to an offline database, then purge their e-shop database after less than 90 days.

I think this kind of incident really open up another security practice that they need to change on their end.

[Debonaire217]

I have received an email regarding this, but they already confirmed that my funds are safe. I'm not sure what percentage of assurance they are pertaining to. But I somehow believe that what happened is focused on breach in their marketing and ecommerce database. I didn't use my ledger to buy anything online, so probably, this will not impact me too bad.

Good action for ledger to always update users and fix the issue right away before it cost huge damage. They also advise to visit Ledger Academy security to further increase our knowledge on how to secure our nanos.

[Lucius]

There is also another form of an old, public information source where criminals can take your name, address and phone no. and it is readily available.
This is a telephone directory. It never caused anyone to break into houses hehehe.

This is not a good comparison, the phone book can contain the name, surname and address and of course the phone number - but it will certainly not contain information that someone is a crypto user or that person has bought a hardware wallet. But the very title of this topic is very wrong, because the attack is long over, the data has been stolen and the damage has been done. Those whose names and physical addresses are compromised in this hack are definitely a cause for concern - of course if the data falls into the wrong hands - others can only fear spam in their email box.

[MCobian]

There is no need to panic too much about the Ledger users data under attack incident, because indeed all human creation does have weaknesses
and nothing is perfect. Make this incident a lesson, so it does not happen again. Even so I will not stop using Ledger as a Bitcoin and Altcoins
storage wallet that I have, because for me Ledger is still the best crypto wallet.

[travwill]

There is also another form of an old, public information source where criminals can take your name, address and phone no. and it is readily available.
This is a telephone directory. It never caused anyone to break into houses hehehe.

This is not a good comparison, the phone book can contain the name, surname and address and of course the phone number - but it will certainly not contain information that someone is a crypto user or that person has bought a hardware wallet. But the very title of this topic is very wrong, because the attack is long over, the data has been stolen and the damage has been done. Those whose names and physical addresses are compromised in this hack are definitely a cause for concern - of course if the data falls into the wrong hands - others can only fear spam in their email box.

I agree that the comparison is incorrect. The phone book is somewhat anonymous, because you need to know something about a person in order to find him and know what he possesses.
For example, you can find media personalities, but they are not difficult to find anyway. The rest of the people will be dark horses for you.
This is the same as breaking into every house in the hope of finding something very valuable.

[thesmallgod]

People have been saying "just buy a hardware wallet" for a long time, but it has always been less than a perfect solution, because some centralization and trust has always been involved, and now it was abused. Now potential burglars and kidnappers have a list of people who own some bitcoins, and something like this will never happen with a software wallet, because it doesn't ask you for your personal information during installation.

IMO and old PC with live OS like Tails is the best cold storage you can get.

people say that because it is safer than many other alternatives. private keys of their customers have not stored on their e-commerce wallet just detail information of the customers which I do not see how the hacker with such information can hack into such customers' hardware wallets except contact tracing and direct robbery.
Those that ordered for the hardware wallets will be subject of many spams and phishing emails from the hackers just to see if they can steal some bitcoin from them

[travwill]

There is no need to panic too much about the Ledger users data under attack incident, because indeed all human creation does have weaknesses
and nothing is perfect. Make this incident a lesson, so it does not happen again. Even so I will not stop using Ledger as a Bitcoin and Altcoins
storage wallet that I have, because for me Ledger is still the best crypto wallet.

I do not think that we can somehow influence the further occurrence of such incidents. Unless we all join the Ledger bounty program to find bugs and vulnerabilities.
In fact, nothing serious happened. It's unpleasant that someone will know your address and the fact that you have cryptocurrency.
I guess Ledger could make some compensation to those people whose data was leaked. There are not so many of them that the company would incur losses.

[Ucy]

People have been saying "just buy a hardware wallet" for a long time, but it has always been less than a perfect solution, because some centralization and trust has always been involved, and now it was abused. Now potential burglars and kidnappers have a list of people who own some bitcoins, and something like this will never happen with a software wallet, because it doesn't ask you for your personal information during installation.

IMO and old PC with live OS like Tails is the best cold storage you can get.

What do you think about using very secure old mobile phones that can easily be updated with special/custom operating system designed specifically for storing important private data of crypto-based assets? I guess you'll have to somehow restrict internet usage on such devices ...or maybe make them automatically super-secure before connecting to the internet?

[20kevin20]

What do you think about using very secure old mobile phones that can easily be updated with special/custom operating system designed specifically for storing important private data of crypto-based assets? I guess you'll have to somehow restrict internet usage on such devices ...or maybe make them automatically super-secure before connecting to the internet?

You could get Replicant, GrapheneOS or deGoogled LineageOS on a compatible older phone and use use that as a hardware wallet for sure, with Orbot active. Restricting internet on smartphones is kinda harder though, as your phone could still receive and send data even if Airplane Mode is active (remember, it's just a graphical button, not a physical hardware disconnection). Now the "super-secure" part is quite difficult to accomplish. With every new software update, new vulnerabilities appear.

But hardware wallets help you avoid most of the possible mistakes you can make with such a phone and you are physically assured there is no external connection that could take place. To be honest, I barely trust even a brand new smartphone anymore since I have my HW. My personal preference is Tails OS in combination with a hardware wallet.

[posi]

There is no need to panic too much about the Ledger users data under attack incident, because indeed all human creation does have weaknesses
and nothing is perfect. Make this incident a lesson, so it does not happen again. Even so I will not stop using Ledger as a Bitcoin and Altcoins
storage wallet that I have, because for me Ledger is still the best crypto wallet.

Concern the incident, I don't see any reason to be panic because the attack was not about Ledger wallet but their online store user information. However, the news need to spread so that all their customers would be more careful cause sooner or later the attackers will use the information they stole to attack ledger customers.

[squatter]

The safest option is by far a paper wallet, if you have a clean OS that is never connected to the Internet and a dumb printer then you could print your wallets with no issue, the problem is that they are very impractical for daily use but you could always have a wallet with some funds for your daily expenses.

PSA: Not all paper wallets are created equally.

Securely generating and writing down a 12 or 24-word seed is a good way to do cold storage. Third party paper wallet software, printers, using raw private keys, etc. -- these are not.

Hardware wallets were supposed to be the best of both worlds, a device that was completely secure and that you could use whenever you want ...

I never thought that was a realistic way to characterize things. To me, hardware wallets always occupied a niche between desktop wallets and cold storage. They come with their own set of security trade-offs and risks. Hardware wallets are useful for new users who would otherwise get their bitcoins stolen, but I think most users who are serious about security are using general purpose hardware to secure their bitcoins -- at least for their long term cold storage.

[rexxarofmoknathal]

I guess that's the problem with these hardware wallet providers. They're so focused on keeping their hardware wallets and custody solutions safe, that they forget that hackers often target other types of data—including customer personal info.

I highly doubt any of it will be used to successfully scam anyone. After all, Ledger has just sent out an email explaining the situation. Though I wouldn't be surprised if the attacker tries to send out a phishing email under the guise of Ledger to scam victims. The fact they haven't done this already indicates they didn't intend to use the data for nefarious purposes.

[TrevorS]

I guess that's the problem with these hardware wallet providers. They're so focused on keeping their hardware wallets and custody solutions safe, that they forget that hackers often target other types of data—including customer personal info.

I highly doubt any of it will be used to successfully scam anyone. After all, Ledger has just sent out an email explaining the situation. Though I wouldn't be surprised if the attacker tries to send out a phishing email under the guise of Ledger to scam victims. The fact they haven't done this already indicates they didn't intend to use the data for nefarious purposes.

Hackers are not idiots. They perfectly understand that everyone is now expecting an attack. They can wait a year, two, three. And then carry out a planned attack on users whose data is leaked, or with their help to gain access to something else. Users must be prepared for everyone throughout their future lives. After all, knowing the necessary information, you can prepare a very sophisticated attack that even the most critical will believe in.

[hatshepsut93]

people say that because it is safer than many other alternatives. private keys of their customers have not stored on their e-commerce wallet just detail information of the customers which I do not see how the hacker with such information can hack into such customers' hardware wallets except contact tracing and direct robbery.
Those that ordered for the hardware wallets will be subject of many spams and phishing emails from the hackers just to see if they can steal some bitcoin from them

Yeah, hardware wallet is better than something like an online wallet, but like I said - it's not perfect. It's a tradeoff between some little bit of trust and ease of use with decent security. But making your own cold storage isn't hard, and most people should have access to some old PCs or laptops, everyone is doing upgrades every few years.

What do you think about using very secure old mobile phones that can easily be updated with special/custom operating system designed specifically for storing important private data of crypto-based assets? I guess you'll have to somehow restrict internet usage on such devices ...or maybe make them automatically super-secure before connecting to the internet?

I trust Tails or other Linux distributions more than "super secure mobile OSs". And Internet connection is a problem, you can never be sure if your phone is truly disconnected or not.

[bbc.reporter]

There is also another form of an old, public information source where criminals can take your name, address and phone no. and it is readily available.
This is a telephone directory. It never caused anyone to break into houses hehehe.

This is not a good comparison, the phone book can contain the name, surname and address and of course the phone number - but it will certainly not contain information that someone is a crypto user or that person has bought a hardware wallet. But the very title of this topic is very wrong, because the attack is long over, the data has been stolen and the damage has been done. Those whose names and physical addresses are compromised in this hack are definitely a cause for concern - of course if the data falls into the wrong hands - others can only fear spam in their email box.

I agree that the comparison is incorrect. The phone book is somewhat anonymous, because you need to know something about a person in order to find him and know what he possesses.
For example, you can find media personalities, but they are not difficult to find anyway. The rest of the people will be dark horses for you.
This is the same as breaking into every house in the hope of finding something very valuable.

However, the argument was that the public information available about everyone never prompted on someone breaking into a person's house similar to the hacked information from Ledger will not cause criminals breaking into those people's homes.

Is the telephone directory a danger to society?

[michellee]

I guess that's the problem with these hardware wallet providers. They're so focused on keeping their hardware wallets and custody solutions safe, that they forget that hackers often target other types of data—including customer personal info.

I highly doubt any of it will be used to successfully scam anyone. After all, Ledger has just sent out an email explaining the situation. Though I wouldn't be surprised if the attacker tries to send out a phishing email under the guise of Ledger to scam victims. The fact they haven't done this already indicates they didn't intend to use the data for nefarious purposes.

Hackers are not idiots. They perfectly understand that everyone is now expecting an attack. They can wait a year, two, three. And then carry out a planned attack on users whose data is leaked, or with their help to gain access to something else. Users must be prepared for everyone throughout their future lives. After all, knowing the necessary information, you can prepare a very sophisticated attack that even the most critical will believe in.

The hackers will find a way to penetrate the source to get inside, and they will try and not give up until they can get what they want. Maybe it will need days to find that way, but they will not stop it before they succeed in getting the data. The easy of the way will be by sending the phishing email to the victims, and if people are not careful to read the email, they will get scam easily. The hardware wallet providers need to upgrade or check their security because it's related to the customer data.

[Lucius]

However, the argument was that the public information available about everyone never prompted on someone breaking into a person's house similar to the hacked information from Ledger will not cause criminals breaking into those people's homes.

Is the telephone directory a danger to society?

You cannot compare publicly available data with the fact that someone stole data (name, surname, address, phone number) of 9500 people who are crypto users and who bought a hardware wallet. These people are indeed in potential danger of physical assault, but of course no one will just go and break into someone's house or apartment if there is no information that that person has a significant amount in crypto. Stolen data can be the basis for analysis and social engineering towards these users.

Criminals break into homes for much less value than finding out someone has 1+ BTC worth over $10k, and it's not clear to me that you can even draw parallels between the phone book and the data stolen from Ledger.

[AakZaki]

Do not worry !!!   Your BitCoins are absolutely safe, nothing to see here     Yes, they know EXACTLY what the hackers got, and are being TOTALLY HONEST about it  

Everyone can sleep well and not worry, they will take good care of you !!!

Hard Facts

But this hack is also related to privacy issues that are owned by customers who buy ledger devices. hackers will use data owned by ledger customers to commit other crimes. Even though they are not the private key, the ledger user or the customer who bought the ledger will also be a centralized victim who will be targeted for several ways to get the private key such as phishing methods via email and other methods. There will be many investment offers and the like that will go to customer emails that are successfully hacked, and the offer will contain phishing, malware and other sites that try to steal data on the user's device. Must stay alert.

[TopExchanger]

Are hardware wallets still the safest ones? Hackers got an access to users' info like emails and etc, but the funds weren't stolen. Now I don't know if I should buy Ledger wallet.

[sukbir]

Are hardware wallets still the safest ones? Hackers got an access to users' info like emails and etc, but the funds weren't stolen. Now I don't know if I should buy Ledger wallet.

Yes Mate, Ledger device is still safe to use, if you want to buy go for it..only customer detail was leaked.

[cutesgirl]

We confused which one most safety wallet for saving our assets, from exchange wallet always got scam and now ledger wallet look have the same problem. Almost wallet kinds will have little chance to make us lost our assets and better saving if offline wallet or online wallet, but always check every day and keep secure with internet access.

[Lucius]

Are hardware wallets still the safest ones? Hackers got an access to users' info like emails and etc, but the funds weren't stolen. Now I don't know if I should buy Ledger wallet.

Nothing is completely safe, but only to some extent safer than something that serves the same purpose. We can generally say that a hardware wallet is something that should (and in most cases is) much more secure than an online/desktop/mobile crypto wallet, but that doesn't mean you can completely relax and live in the belief that no one can do anything to your coins.

Hardware wallets are also exposed to various threats such as fake versions of wallets (fake Ledger Live) or phishing (fake Trezor sites), and clipboard malware. But this is not a weakness of the device but of each individual user who uses it.

There is no documented case (as far as I know) that someone managed to literally hack a hardware wallet (remotely), which does not mean that hackers may not find a way to do so in the future. Hacking a Ledger database does not have a direct impact on the security of the device itself - but it can have undesirable consequences on the privacy of users whose data has been stolen.

[squatter]

Hardware wallets are also exposed to various threats such as fake versions of wallets (fake Ledger Live) or phishing (fake Trezor sites), and clipboard malware. But this is not a weakness of the device but of each individual user who uses it.

I'm also concerned about things like possibly insecure RNG for key generation and bugs at the software or firmware level. More than anything else, I'm worried about supply chain attacks.

The ideal for long term storage is a method that leverages open source software, general purpose hardware, and a source of entropy than can be verified.

[Velkro]

A third-party attacker accessed the segments of e-commerce and promotional databases holding the email addresses of customers.
Additionally, 9,500 users were exposed to a leak of order details: name, street address, phone number and the details of what they ordered.

That is insanely dangerous.
If someone buying ledger or other crypto-wallet he have serious amount of money to hold there.
These people on that list are in danger now, bigger or lesser, will happen or not, but ledger should know better security of its clients data is crucial in their business.

[bbc.reporter]

However, the argument was that the public information available about everyone never prompted on someone breaking into a person's house similar to the hacked information from Ledger will not cause criminals breaking into those people's homes.

Is the telephone directory a danger to society?

You cannot compare publicly available data with the fact that someone stole data (name, surname, address, phone number) of 9500 people who are crypto users and who bought a hardware wallet. These people are indeed in potential danger of physical assault, but of course no one will just go and break into someone's house or apartment if there is no information that that person has a significant amount in crypto. Stolen data can be the basis for analysis and social engineering towards these users.

Criminals break into homes for much less value than finding out someone has 1+ BTC worth over $10k, and it's not clear to me that you can even draw parallels between the phone book and the data stolen from Ledger.

Are you telling everyone that breaking into home crimes on Ledger users will increase because of this hack? I reckon it might not be. They might have many Nigerian scam in their inbox, however hehehe.

[Shasha80]

Ledger companies should be more aware of the security of data users, if not quickly repaired their business reputation will be crucial.
Because for users personal data is everything, fortunately the Ledger can fix this problem quickly. This is also a lesson for all of us,
Ledger who has a reputation for a good security system can be hacked, therefore we must always be vigilant and activate all security
systems that we have.

[Lucius]

I'm also concerned about things like possibly insecure RNG for key generation and bugs at the software or firmware level. More than anything else, I'm worried about supply chain attacks.

The ideal for long term storage is a method that leverages open source software, general purpose hardware, and a source of entropy than can be verified.

I may once have believed that hardware wallets are impenetrable if used in accordance with all the rules, but over time I increasingly doubt that this is the case. Technology is advancing unstoppably, but not only for the manufacturers of such devices, but also for those who are trying in all possible ways to break their protection. Attack vectors that require physical contact with the device worry me less than some possible remote attacks that could in some way seriously compromise the security of the hardware wallets. Therefore, it is only right to always doubt everything and try to minimize the risk.

Are you telling everyone that breaking into home crimes on Ledger users will increase because of this hack? I reckon it might not be. They might have many Nigerian scam in their inbox, however hehehe.

I think I was pretty clear about that, but you're obviously going in the wrong direction all the time. 9500 Ledger customers are potentially compromised because their data has been stolen (not just email, but full/last name, physical address, mobile phone number). This opens up opportunities not only for physical attacks, but also for various other methods of social engineering that includes not only e-mail spam/phishing, but also all other methods that can be performed via a mobile number or physical address.

By the way, I don't think there's anything funny here - but if it entertains you, enjoy it.

[bbc.reporter]

@Lucius. Agreed! However, the telephone directory has also enough available information to do similar types of attacks and it has been publicly available for more than 50 years but it has never been considered a cause for attacks.

The bitcoin news media is creating much clickbaits about this news. There were similar hacks of this type on Coinbase, Bitmex and many other exchanges also that never caused mass increase in serious crimes.

[muratsink]

Will be most safety place to save our assets under billow? how primitive people save their assets under billow and keep safety for long term, with higher technology always have way how to get our assets risk save on digital wallet currency, maybe save on exchange wallet is most priority when getting good exchange.

[Lucius]

@Lucius. Agreed! However, the telephone directory has also enough available information to do similar types of attacks and it has been publicly available for more than 50 years but it has never been considered a cause for attacks.

And again I ask you what does the telephone directory have to do with the fact that in this particular case it is about people who bought a hardware wallet? Is there any information in the telephone directory or has there ever been information that someone bought gold, an expensive watch, a valuable piece of art perhaps?

It is really not clear to me that you are drawing a parallel between the telephone directory (which is a public database) and data that should be secret for quite logical reasons. I don't want a public directory with my information stating that I own a hardware wallet or have a safe in my apartment.

[bbc.reporter]

@Lucius. Agreed! However, the telephone directory has also enough available information to do similar types of attacks and it has been publicly available for more than 50 years but it has never been considered a cause for attacks.

And again I ask you what does the telephone directory have to do with the fact that in this particular case it is about people who bought a hardware wallet? Is there any information in the telephone directory or has there ever been information that someone bought gold, an expensive watch, a valuable piece of art perhaps?

It is really not clear to me that you are drawing a parallel between the telephone directory (which is a public database) and data that should be secret for quite logical reasons. I don't want a public directory with my information stating that I own a hardware wallet or have a safe in my apartment.

How would criminals know that their ledger wallets hold coins amounted to more than the price of the hardware wallet? Do you assume that there certainly will be a massive increase of serious crimes on those ledger owners?

I reckon the information given on where they live would give more details on their financial status, similar to the telephone directory.