New Ledger phishing mail targets individual users

[HCP]

Never received a "personal" notification from Ledger after the original hack... have not received any phishing emails or SMS messages recently (not even to my spam folder).

What I did receive was an email from Ledger with the subject heading "Ledger Security Alert: be cautious with phishing attempts", which (somewhat ironically) went to my spam folder So, kudos to them for at least trying, I guess


As a side note, to whomever it was considering legal action, unless you can prove "willful negligence", you're probably unlikely to succeed.

[1714115205]

1714115205

[1714115205]

1714115205

[1714115205]

1714115205

[bL4nkcode]

Never received a "personal" notification from Ledger after the original hack... have not received any phishing emails or SMS messages recently (not even to my spam folder).

What I did receive was an email from Ledger with the subject heading "Ledger Security Alert: be cautious with phishing attempts", which (somewhat ironically) went to my spam folder So, kudos to them for at least trying, I guess

Fortunately, had this the same, I tried to check my 2 emails used to purchased there since I purchased there more than 3 times but never received this phishing email, but I received an email on july regarding the e-commerce & marketing breach and this "Ledger Security Alert" just this oct. though in spam both.

[dkbit98]

I am now hearing reports from people that say that Affiliate DB is also leaked!
One man reported that he used separate unique email for Ledger affiliate program, and he received phishing emails.
Marketing DB - leaked
e-commerce DB - leaked
Affiliate DB - leaked.
https://www.reddit.com/r/ledgerwallet/comments/jqiftv/this_is_unbelievable_a_new_ledger_leak_that_was/

[HCP]

Affiliate DB - allegedly leaked.
https://www.reddit.com/r/ledgerwallet/comments/jqiftv/this_is_unbelievable_a_new_ledger_leak_that_was/

As far as I can see, the company has not confirmed nor denied this... and I don't see any other users claiming that their affiliate info was leaked. Having said that, on the balance of probabilities, I'd say it was probably likely that it did happen, especially if all their systems were integrated

Given that they have admitted the other data was leaked, I see no reason for Ledger to deny that the affiliate data was leaked if it did indeed happen. I would assume they are busy investigating this claim. Hopefully they can make a statement at some point in the (very) near future to clarify the status of this data, so users can be advised and take any necessary precautions.

I feel for the folks currently getting spammed with scam text message "alerts"... must be alarming receiving a text with your full name claiming you've sent a transaction that you didn't, with a link to a website registered in your local region!

This entire episode has been a complete PR disaster for Ledger... their (normally) overworked and "slow" support is now pretty much completely swamped with requests to delete personal data (which don't seem to be being actioned)... and this is all down to what Ledger are claiming was a "misconfigured, Third Party API key". Going to take them years (if at all) to regain the trust of a lot of users.

[o_e_l_e_o]

More reports across Reddit of users who either were supposedly not part of the 9,500 affected individuals from the previous data leak, or users who used unique email addresses for affiliation and marketing reasons, all getting targeted phishing emails. A little bit of digging also found this comment from a Ledger staff member:

Hello,

As soon as we discovered the data breach in July 2020, we patched it.

Since then, we lead two penetration tests with a third party consultancy to verify and improve the security of your data.

We did not encounter a new data breach since July.

As said in another post, two weeks ago, we've been made aware that some of our customers are being targeted by phishing attempts. Some of these customers were not part of the 9,500 individuals for whom we know that data other than email were also exposed, such as first and last name, postal address, phone number or ordered products. In the current state of our knowledge, It is not technically possible to state the exact scope of the leak of this detailed data.

Hope It helps.

So, in the absence of any evidence of a further data breach, it looks like the July data breach was much larger than they initially thought. It is more than a little concerning that they "cannot state the exact scope of the leak of this detailed data". They have no idea what has been breached.

Between the unpatchable Trezor vulnerability, and this extensive Ledger leak, I'm close to giving up on hardware wallets altogether. Most of my funds are on airgapped, encrypted, cold storage, but that just isn't an option for your average Joe, at least not until they've been involved in crypto for a while and understand the process and risks. What can we recommend for newbies that is more secure than a software wallet but still straightforward and easy to use?

And I'll repeat my advice regarding this kind of thing that I've said before: If you have given personal details, email addresses, name, telephone number, physical address, etc. to any crypto company, do yourself a favor and look at their Terms and Conditions and Privacy Policy and figure out how to request that they delete it.

[Pmalek]

I feel for the folks currently getting spammed with scam text message "alerts"... must be alarming receiving a text with your full name claiming you've sent a transaction that you didn't, with a link to a website registered in your local region!

If the hackers have full names of Ledger users, I wonder why they didn't use full names when sending out those phishing emails. They used only the first name. When services like your bank or PayPal contacts you, they always address you with the full name.

What can we recommend for newbies that is more secure than a software wallet but still straightforward and easy to use?

I wouldn't give up on hardware wallets just yet. Sure, it sucks having your data leaked. I would recommend purchasing hardware wallets with crypto. At least that would prevent having your bank/card details leaked. Shipping it to your place of work instead of to your own home is also not bad. Buying a burner phone or secondary SIM card whose number you would use to pick up the package is also an option.   

[o_e_l_e_o]

I would recommend purchasing hardware wallets with crypto. At least that would prevent having your bank/card details leaked. Shipping it to your place of work instead of to your own home is also not bad. Buying a burner phone or secondary SIM card whose number you would use to pick up the package is also an option.

I have multiple hardware wallets (and some other bitcoin related products) from multiple companies. I purchased all of them using well-mixed bitcoin, with a disposable email address, a fake name, and shipped them to a drop off point where I picked them up from. I have zero concern about my details being leaked - indeed, I haven't even checked to see if the fake name and email I used with Ledger showed up in their breach (I think I could probably still find the log in to the email backed up on an external hard drive somewhere, but I certainly don't remember it having not used it for several years).

However, none of that is newbie friendly.

"Use disposable email addresses, create a fake identity, find a neutral shipping location you can pick up from, and make sure the bitcoin you buy with is anonymized" is not newbie friendly.
"Find an old computer, physically remove the WiFi card, keep it airgapped forever, format it, install Linux, encrypt the whole disk, install a wallet on it, and then export the xpub to create a watch only wallet" is not newbie friendly.

"Buy a hardware wallet and plug it in" is newbie friendly. "Download this piece of software" is newbie friendly. However, neither of those seem particularly secure any more.

[dkbit98]

I have multiple hardware wallets (and some other bitcoin related products) from multiple companies. I purchased all of them using well-mixed bitcoin, with a disposable email address, a fake name, and shipped them to a drop off point where I picked them up from. I have zero concern about my details being leaked - indeed, I haven't even checked to see if the fake name and email I used with Ledger showed up in their breach (I think I could probably still find the log in to the email backed up on an external hard drive somewhere, but I certainly don't remember it having not used it for several years).

However, none of that is newbie friendly.

I have done something similar like you, so it's almost impossible that someone connects me, or my address and phone number with my hardware wallet, but I am a privacy freak.

Majority of people who purchased Ledger are newbies, and they just visited website, registered and left real name, real phone number and real address.
Now we see reddit and internet blowing up with customer complains and Ledger reputation is ruined forever.
Maybe they will give wallets for free soon to attract new users

I will have to write a Guide - How to buy a Hardware Wallet the right way

[Coin-Keeper]

I also received emails from "Ledger".  I didn't even buy anything and simply asked a few questions using one of my Tutamail accounts via TOR.   Those don't come back to me but sure enough those phishing emails were sent to me there.

[HCP]

I also received emails from "Ledger".  I didn't even buy anything and simply asked a few questions using one of my Tutamail accounts via TOR.   Those don't come back to me but sure enough those phishing emails were sent to me there.

That's expected... given that the "marketing" DB was leaked as well as the "customer" DB. If they had your email at any stage, you were likely on the "mailing list"

So, in the absence of any evidence of a further data breach, it looks like the July data breach was much larger than they initially thought. It is more than a little concerning that they "cannot state the exact scope of the leak of this detailed data". They have no idea what has been breached.

This is probably the most disconcerting thing. They don't really appear to have any idea of what exactly was leaked.


At least they finally seem to be starting to "get it":

...
We know we fucked up, we try to get it right for you.

Although, I doubt there is realistically much they can do to "get it right" for the affected users. The proverbial horse has bolted, so the data is out there... It's not like Ledger can "undo" this.

[o_e_l_e_o]

At least they finally seem to be starting to "get it"

The comment two below that highlights my concerns from above though:

Some didn't receive that specific email because the logs we have in our possession show that 1M emails leaked plus 9500 more detailed personal info.

So they have no idea the full scope of the data breach. They can only prove that 9,500 customers had their full details leaked, but the flurry of reports of people being targeted by phishing messages who did not receive the email sent to those original 9,500 customers suggests that this number is actually far higher, but nobody knows how high. Their entire database could have been leaked for all we (or they) know.

This must be a real let down for the engineers and programmers working on the actual devices (which I still like), that some idiot who can't encrypt a database properly has ruined the entire company's reputation.

[Lucius]

Although, I doubt there is realistically much they can do to "get it right" for the affected users. The proverbial horse has bolted, so the data is out there... It's not like Ledger can "undo" this.

Ledger can only try to reduce the damage by trying to make the job of hackers as difficult as possible. In this regard, I received this e-mail today (and I assume that others will receive it as well). Now we can only wonder if it is just one hacker who has this database, or the database has already been sold and used by multiple individuals. One hacker, just one copy of the database, and one wrong step by that same hacker would be the ideal combination to get Ledger out (somewhat) of this situation.

Dear client,

Ledger users are under attack and targeted by a phishing scam (here is a link to understand the anatomy of a phishing attack).

Kraken Security Lab has done a great job at describing what’s going on and we appreciate their help in this matter :

https://blog.kraken.com/post/6746/ledger-phishing-scam-targets-crypto-hardware-wallet-users/

Today, we want to let you know that Ledger is fighting hard to defeat the scammers.

But we also want to let you know that we’ll be stronger together.

Help us #StopTheScammers

The two main ideas you should leave with after reading this post are :

    Never share your 24 words with anyone.
    Help us take the scammers websites down.

The best way to stop the scammers is to take their websites down as quickly as possible. Here's how you can help:

    Spread the word: talk to your friends and your communities and let them know that they must never share their 24 words with anyone under any circumstances, Ledger will never ask for their 24 words. No one should ever ask you for your 24 words… It’s something that you must absolutely keep for you.
    If you have received a phishing attempt or if you are aware of an illegal website, like the ones above, please report it to Google Safebrowsing. The more we report these illegal websites to Google, the more difficult it will be for scammers to deceive our Ledger users.
    If you have received a phishing attempt, you can file a complaint with your local criminal authority.

Phishing scams are one of the critical problems in cybercrime. The Ledger community will be better protected if we all work together.

When you find a scam, report it to the community: #StopTheScammers

We understand the stress and uncertainty these phishing attacks may be causing you. We want to assure you that our team is doing everything in our power to stop these attacks.

What is our team doing ?

    Members of our Donjon security team are continuously tracing the scammers' new website URLs, so that we can  share the necessary technical information for the relevant authorities
    Managing and updating an on-going criminal complaint through the French Public Prosecutor to enable the police force to identify and prosecute those responsible.
    Subpoena requests have been sent in the US and in France to obtain from the internet intermediaries and communications operators full disclosure of the identity of the responsible.
    Reaching out to international cyberdefense organizations to bring the case to their knowledge. This is a way to increase the magnitude of this complaint by using these international cyberdefense organizations enormous and transnational capabilities.
    Our brand protection internal and external teams are reporting illegal  websites to abuse contact of the registrars. Within the last few weeks, 87 websites have been reported and 42 shutdowns. Some registrar fail to be reactive which explains why websites are still active despite Ledger notifying them several times following the abuse procedure.
    Communicating with our customers and community, answering thousands of questions and updating users with new information as it is available through our support center, Twitter, Facebook, email, Reddit, etc.

We will be stronger together.

#StopTheScammers

Pascal Gauthier

CEO at Ledger

[o_e_l_e_o]

Now we can only wonder if it is just one hacker who has this database, or the database has already been sold and used by multiple individuals.

Has there been any evidence of the database being sold? I remember there was a supposed hack back in May, where details of both Ledger and Trezor customers was purportedly up for sale, but it turned out to be a fake. Conversely, I don't remember ever seeing anything suggesting this database has been put up for sale anywhere.

Having said all that, I also haven't seen a single report on here or on Reddit or a user falling victim to these phishing messages yet. Perhaps Ledger's preemptive emails have worked.

[LeGaulois]

@o_e_l_e_o

The person would be a bit dumb to resell it several times, at least right now. Competition is never good.
This is what they usually do once they have abused the database enough. Probably the person will start next to send emails about stupid airdrops and co.
Anyway, you will notice when more persons have the database when you get spam daily (or more spam than usual).

About people victims of this campaign. I saw a person who lost money with the trap, unfortunately. And the hacker collected over 100 BTC already

@Lucius

Thanks for posting. It will avoid people here saying Ledger's doing nothing  

[Pmalek]

Now we can only wonder if it is just one hacker who has this database, or the database has already been sold and used by multiple individuals.

Has there been any evidence of the database being sold?

The only way to know is by checking underground onion sites and hacking forums where things like this are usually distributed and sold. Whoever has the data will not let the general public know. If I was interested in deep internet marketplaces, that's where I would check.   

[Lucius]

Has there been any evidence of the database being sold?

So far there is no such evidence, and from what I have read Ledger is using the services of Orange Cyberdefense which tries to find any evidence that the database has been sold or is being sold on the black market.

Meanwhile, Ledger said France’s Data Protection Authority, the CNIL, was notified about the breach on July 16. The firm is also working with the Orange Cyberdefense (OCD) to find any evidence of the stolen data being sold online.

Having said all that, I also haven't seen a single report on here or on Reddit or a user falling victim to these phishing messages yet. Perhaps Ledger's preemptive emails have worked.

There are always those who will believe in anything, we all know that phishing has been an effective way before, and I have no doubt it is not even more effective when targeting users on a personal level. Of course, there are differences in that everything is not left to the users, and that Ledger is maximally involved in the whole thing. I think this is too big thing to stay at lower levels of investigation, and that sooner or later the person or persons behind this will be discovered.

@Lucius
Thanks for posting. It will avoid people here saying Ledger's doing nothing 

You're welcome, but I doubt it will help that someone doesn't accuse us of being part of the Ledger gang

[dkbit98]

Ledger is worst crypto company I ever saw in my life and only novel writers here in their bubble supports them after all we seen.
This is how Ledger 'fixes' things in translation means - doing nothing:

What you see here is one more stupid Ledger wallet app bug that shows unreal spikes your portfolio at beginning of each month.
Everyone including Ledger developers are aware of this bug for several months and maybe even a year, but they keep ignoring it and delaying fix.
This is how they (not) fix everything in Ledger...  

I am not using Ledger app all the time, but when I need to update I always look at this spikes  

Let's see how 'effective' Ledger is:

Ledger database compromised ?
Before you down-vote me into oblivion please read carefully.

After reading all this security chaos I decided to email ledger about deleting my personal information.(yesterday)
I did not make any purchases or had any type of contact with ledger for over 2 years now and the email I used for previous purchases I used ONLY for ledger.com
I should mention that I was not affected from the previous ledger data leaks.

In anticipation of having a reply from ledger about my personal information, Today i logged in to this email and received so far 2 scam messages.

Which leads me to believe their entire database right now is compromised. I never got a reply from ledger and from what I read around here I should not expect any.

Take care.

https://www.reddit.com/r/ledgerwallet/comments/jt04h8/ledger_database_compromised/
archive: https://archive.vn/N8ERi

Is moving home the only way to feel sort of safe again after Ledger leaked my home address to criminals?
I’m serious, I am worried for my families well being. I look online at home security devices and best legal weapons to keep at home. This hack has screwed with me mentally and I want to be compensated. Is there a lawyer already on the case?

https://www.reddit.com/r/ledgerwallet/comments/jt4jew/is_moving_home_the_only_way_to_feel_sort_of_safe/
archive: https://archive.vn/3Mz1H

Never got notified of Ledger security breach
I bought a ledger in May. I then got a phishing text Sunday which I knew was a scam, and then an email today from Ledger warning about phishing attacks.

Researching this today I see that this breach occurred months ago and I read their statement about how they were notifying everyone and doing many steps to make their systems more secure.

I was clearly in the batch of the lucky 9,000 (not sure I even trust that number now) who had not just their email but all their contact details leak and yet got notification.

Right now my confidence in ledger is at a zero, considering they couldn’t even handle notifications correctly after a security breach.

https://www.reddit.com/r/ledgerwallet/comments/jsalq8/never_got_notified_of_ledger_security_breach/
archive: https://archive.vn/fZM5F

Compensation in EU

In EU, the GDPR gives a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law, which includes breaches. This does require the person to have suffered “material damage” (e.g. you have lost money) or “non-material damage” (e.g. you have suffered distress).

I've been getting phishing messages from fake 'Ledger' numbers, using my real name and phone number, so I am assuming that they know my personal address as well and this is a pretty big deal, since now I have to worry that someone can physically rob me, knowing I have a Ledger, which is obviously causing 'non-material damage', e.g. distress.

According to ICO (https://ico.org.uk/your-data-matters/data-protection-and-journalism/taking-your-case-to-court-and-claiming-compensation/), before taking the case into court, you can agree for compensation with the company, and I was wondering if anyone has spoken to Ledger about this yet?

I am genuinely considering going to court with this though, to be honest.

https://www.reddit.com/r/ledgerwallet/comments/js6o9n/compensation_in_eu/
archive: https://archive.vn/PK0xB

[Pmalek]

@dkbit98
They have caused a huge shitstorm, and one that they will have a very hard time to recover from. If the first user you quoted is telling the truth, it means that their database is being leaked even now as we speak. How else can you explain that the user has not received any phishing messages in the past, and was originally not affected by the leak, until he emailed them? Only then he started receiving phishing messages.

It can be either a huge coincidence and that his details were leaked together with the other users in the July hack, and the hackers only now found the time to contact him, or his info was leaked after he sent that email a few days ago.

[jerry0]

How many people here got that phishing email?  I checked my email and don't see it.  So it affect one percent of the nano ledger users database?


Also in an article it was said that this phishing lead to many users losing their crypto... especially ripple.  Can someone explain this?  So the phishing email tricked users into downloading a fake ledger live or was it some other program?  Then how did users lose their ripple then which i heard was the main coin that was lost here?  Am i assuming those users typed their ledger seed into the software?


Because since nano ledger is a hardware wallet, even if your computer is compromised as in virus/malware/keylogging, doesn't the seed as long as its not typed in the computer somewhere still safe?

[bob123]

How many people here got that phishing email?  I checked my email and don't see it.  So it affect one percent of the nano ledger users database?

We don't have exact numbers.
But it seems like a not too small percentage is affected.

I, personally, didn't receive any mail either.

Also in an article it was said that this phishing lead to many users losing their crypto... especially ripple.  Can someone explain this?  So the phishing email tricked users into downloading a fake ledger live or was it some other program?  Then how did users lose their ripple then which i heard was the main coin that was lost here?  Am i assuming those users typed their ledger seed into the software?

Possible.
Basically, they either downloaded malware which asked them to enter the mnemonic code or created a transaction which the user blindly accepted (for whatever reason) or they entered the mnemonic code somewhere online.

Because since nano ledger is a hardware wallet, even if your computer is compromised as in virus/malware/keylogging, doesn't the seed as long as its not typed in the computer somewhere still safe?

Yes, that's correct.
If you follow the basic guidelines (e.g. not typing your mnemonic into malware), you are fine.