Ledger 1 Mln Users Data Under Attack

[sukbir]

Are hardware wallets still the safest ones? Hackers got an access to users' info like emails and etc, but the funds weren't stolen. Now I don't know if I should buy Ledger wallet.

Yes Mate, Ledger device is still safe to use, if you want to buy go for it..only customer detail was leaked.

[cutesgirl]

We confused which one most safety wallet for saving our assets, from exchange wallet always got scam and now ledger wallet look have the same problem. Almost wallet kinds will have little chance to make us lost our assets and better saving if offline wallet or online wallet, but always check every day and keep secure with internet access.

[Lucius]

Are hardware wallets still the safest ones? Hackers got an access to users' info like emails and etc, but the funds weren't stolen. Now I don't know if I should buy Ledger wallet.

Nothing is completely safe, but only to some extent safer than something that serves the same purpose. We can generally say that a hardware wallet is something that should (and in most cases is) much more secure than an online/desktop/mobile crypto wallet, but that doesn't mean you can completely relax and live in the belief that no one can do anything to your coins.

Hardware wallets are also exposed to various threats such as fake versions of wallets (fake Ledger Live) or phishing (fake Trezor sites), and clipboard malware. But this is not a weakness of the device but of each individual user who uses it.

There is no documented case (as far as I know) that someone managed to literally hack a hardware wallet (remotely), which does not mean that hackers may not find a way to do so in the future. Hacking a Ledger database does not have a direct impact on the security of the device itself - but it can have undesirable consequences on the privacy of users whose data has been stolen.

[squatter]

Hardware wallets are also exposed to various threats such as fake versions of wallets (fake Ledger Live) or phishing (fake Trezor sites), and clipboard malware. But this is not a weakness of the device but of each individual user who uses it.

I'm also concerned about things like possibly insecure RNG for key generation and bugs at the software or firmware level. More than anything else, I'm worried about supply chain attacks.

The ideal for long term storage is a method that leverages open source software, general purpose hardware, and a source of entropy than can be verified.

[Velkro]

A third-party attacker accessed the segments of e-commerce and promotional databases holding the email addresses of customers.
Additionally, 9,500 users were exposed to a leak of order details: name, street address, phone number and the details of what they ordered.

That is insanely dangerous.
If someone buying ledger or other crypto-wallet he have serious amount of money to hold there.
These people on that list are in danger now, bigger or lesser, will happen or not, but ledger should know better security of its clients data is crucial in their business.

[bbc.reporter]

However, the argument was that the public information available about everyone never prompted on someone breaking into a person's house similar to the hacked information from Ledger will not cause criminals breaking into those people's homes.

Is the telephone directory a danger to society?

You cannot compare publicly available data with the fact that someone stole data (name, surname, address, phone number) of 9500 people who are crypto users and who bought a hardware wallet. These people are indeed in potential danger of physical assault, but of course no one will just go and break into someone's house or apartment if there is no information that that person has a significant amount in crypto. Stolen data can be the basis for analysis and social engineering towards these users.

Criminals break into homes for much less value than finding out someone has 1+ BTC worth over $10k, and it's not clear to me that you can even draw parallels between the phone book and the data stolen from Ledger.

Are you telling everyone that breaking into home crimes on Ledger users will increase because of this hack? I reckon it might not be. They might have many Nigerian scam in their inbox, however hehehe.

[Shasha80]

Ledger companies should be more aware of the security of data users, if not quickly repaired their business reputation will be crucial.
Because for users personal data is everything, fortunately the Ledger can fix this problem quickly. This is also a lesson for all of us,
Ledger who has a reputation for a good security system can be hacked, therefore we must always be vigilant and activate all security
systems that we have.

[Lucius]

I'm also concerned about things like possibly insecure RNG for key generation and bugs at the software or firmware level. More than anything else, I'm worried about supply chain attacks.

The ideal for long term storage is a method that leverages open source software, general purpose hardware, and a source of entropy than can be verified.

I may once have believed that hardware wallets are impenetrable if used in accordance with all the rules, but over time I increasingly doubt that this is the case. Technology is advancing unstoppably, but not only for the manufacturers of such devices, but also for those who are trying in all possible ways to break their protection. Attack vectors that require physical contact with the device worry me less than some possible remote attacks that could in some way seriously compromise the security of the hardware wallets. Therefore, it is only right to always doubt everything and try to minimize the risk.

Are you telling everyone that breaking into home crimes on Ledger users will increase because of this hack? I reckon it might not be. They might have many Nigerian scam in their inbox, however hehehe.

I think I was pretty clear about that, but you're obviously going in the wrong direction all the time. 9500 Ledger customers are potentially compromised because their data has been stolen (not just email, but full/last name, physical address, mobile phone number). This opens up opportunities not only for physical attacks, but also for various other methods of social engineering that includes not only e-mail spam/phishing, but also all other methods that can be performed via a mobile number or physical address.

By the way, I don't think there's anything funny here - but if it entertains you, enjoy it.

[bbc.reporter]

@Lucius. Agreed! However, the telephone directory has also enough available information to do similar types of attacks and it has been publicly available for more than 50 years but it has never been considered a cause for attacks.

The bitcoin news media is creating much clickbaits about this news. There were similar hacks of this type on Coinbase, Bitmex and many other exchanges also that never caused mass increase in serious crimes.

[muratsink]

Will be most safety place to save our assets under billow? how primitive people save their assets under billow and keep safety for long term, with higher technology always have way how to get our assets risk save on digital wallet currency, maybe save on exchange wallet is most priority when getting good exchange.

[Lucius]

@Lucius. Agreed! However, the telephone directory has also enough available information to do similar types of attacks and it has been publicly available for more than 50 years but it has never been considered a cause for attacks.

And again I ask you what does the telephone directory have to do with the fact that in this particular case it is about people who bought a hardware wallet? Is there any information in the telephone directory or has there ever been information that someone bought gold, an expensive watch, a valuable piece of art perhaps?

It is really not clear to me that you are drawing a parallel between the telephone directory (which is a public database) and data that should be secret for quite logical reasons. I don't want a public directory with my information stating that I own a hardware wallet or have a safe in my apartment.

[bbc.reporter]

@Lucius. Agreed! However, the telephone directory has also enough available information to do similar types of attacks and it has been publicly available for more than 50 years but it has never been considered a cause for attacks.

And again I ask you what does the telephone directory have to do with the fact that in this particular case it is about people who bought a hardware wallet? Is there any information in the telephone directory or has there ever been information that someone bought gold, an expensive watch, a valuable piece of art perhaps?

It is really not clear to me that you are drawing a parallel between the telephone directory (which is a public database) and data that should be secret for quite logical reasons. I don't want a public directory with my information stating that I own a hardware wallet or have a safe in my apartment.

How would criminals know that their ledger wallets hold coins amounted to more than the price of the hardware wallet? Do you assume that there certainly will be a massive increase of serious crimes on those ledger owners?

I reckon the information given on where they live would give more details on their financial status, similar to the telephone directory.