dkbit98
Legendary
Offline
Activity: 2408
Merit: 7567
|
|
December 21, 2020, 08:46:55 AM |
|
Now we see the truth what happened with hacked ledger database and one million customer information ending up on raidforums. We can see that emails has attached name, physical addresses, phone numbers and number assigned to it. 272.853 orders with full info details (Email, Addresses, Phone Number) 1.075.382 emails subscribed to newsletter Now we see that ledger lied about real numbers of leaked customer data with full info.... real numbers are much much higher. Better check if your email address is pwned and change it, oh and never trust ledger again: https://haveibeenpwned.com/
|
|
|
|
Lucius
Legendary
Offline
Activity: 3416
Merit: 6150
Crypto Swap Exchange🈺
|
|
December 21, 2020, 11:45:11 AM |
|
Better check if your email address is pwned and change it, oh and never trust ledger again:
There is no need for any checks, everyone who has ever bought something from Ledger or left their e-mail address in any way is in that database - and all that information is now public, it’s just a matter of who suffered more damage because in addition to e-mail, all other data was leaked. Changing email means absolutely nothing, at least not for those who know how to recognize spam.
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18747
|
|
December 21, 2020, 11:55:52 AM |
|
Yup, this is horrendous. The leak of 9,500 addresses was bad enough. The leak of 272 thousand addresses is horrendous. But that isn't even the worst thing. Ledger either lied and covered up the size of this leak, despite endless customer reports to the contrary, or were genuinely unaware of what data had been accessed, and this lasted for months. Either is inexcusable and unforgivable. There is zero trust left with Ledger.
I'm done with hardware wallets. I was done with Trezor after their critical vulnerability which they don't even warn new users about, and now I'm done with Ledger since they can't be trusted to be either competent, honest, or both. I am completely unaffected by this hack thanks to fake credentials, but I refuse to use my Ledger devices any longer. I'll be moving everything off them and in to airgapped cold storage as soon as the mempool empties.
Lots of reports on Reddit of people receiving ransom emails with their real name and address, and demanding payment to not be physically attacked. Horrendous.
As I've said before, if you have given your real name and address to any crypto company, now is a good time to contact them and request that they delete all of your information. Check their Terms of Service and Privacy Policy for how to go about doing so.
|
|
|
|
FatFork
Legendary
Offline
Activity: 1778
Merit: 2670
Crypto Swap Exchange
|
|
December 21, 2020, 12:39:05 PM |
|
Lots of reports on Reddit of people receiving ransom emails with their real name and address, and demanding payment to not be physically attacked. Horrendous.
This is really disturbing. I can't even imagine how these people are feeling right now.
|
|
|
|
dkbit98
Legendary
Offline
Activity: 2408
Merit: 7567
|
|
December 21, 2020, 01:02:33 PM Last edit: December 21, 2020, 01:14:07 PM by dkbit98 |
|
28 times over the reported number, ledger shoot their own feet this time.
When I told all the ledger shillers here that ledger team lies about 9500 number of full leak data, they told me I was wrong and to just trust the ledger. I don't see them now maybe because they got back into their small holes and hide. Btw I think this download file you provided contains only emails and I can't find my email address there, but just to be safe I will probably change addresses I use. EDIT: I found all other files also. Yup, this is horrendous. The leak of 9,500 addresses was bad enough. The leak of 272 thousand addresses is horrendous. But that isn't even the worst thing. Ledger either lied and covered up the size of this leak, despite endless customer reports to the contrary, or were genuinely unaware of what data had been accessed, and this lasted for months. Either is inexcusable and unforgivable. There is zero trust left with Ledger.
They lied 100% like I said many times before, and anyone who have any contacts in darkweb could confirm this. Zero trust confirmed and reputation ruined. Here comes 100% discount from ledger soon...
|
|
|
|
suchmoon
Legendary
Offline
Activity: 3850
Merit: 9090
https://bpip.org
|
|
December 21, 2020, 01:31:58 PM |
|
Ledger confirmed.
No no no, they're "still confirming". Nothing to worry about. After months of phishing e-mails and texts and phone calls it might turn out to be a non-issue if they don't confirm. Fucking assholes and absolute clueless knobs when it comes to securing customer data or customer support or being in business altogether.
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18747
|
|
December 21, 2020, 01:40:22 PM |
|
They lied 100% like I said many times before
They are claiming on Reddit that they did not lie, and the logs and investigation they performed revealed only 9,500 compromised addresses. As I said above, if they aren't lying then they are completely unaware about the security of their own systems, and someone managed to steal a quarter of million customers' details with Ledger being none the wiser. Not that it really matters - either is enough to never use them again.
|
|
|
|
Lucius
Legendary
Offline
Activity: 3416
Merit: 6150
Crypto Swap Exchange🈺
|
|
December 21, 2020, 01:47:18 PM |
|
People who bought Ledger HW wallet definitely should check the dump file.
I get data from GitHub (link posted here - forum link), but finding your data is a bit more difficult, so it would be very useful for someone to make a search option, just enough so that everyone can see if only their e-mail or all other data has been published.
|
|
|
|
suchmoon
Legendary
Offline
Activity: 3850
Merit: 9090
https://bpip.org
|
|
December 21, 2020, 01:50:49 PM Last edit: December 29, 2020, 02:32:51 AM by suchmoon |
|
I get data from GitHub (link posted here - forum link), but finding your data is a bit more difficult, so it would be very useful for someone to make a search option, just enough so that everyone can see if only their e-mail or all other data has been published. Use your browser's search-on-the-page feature to find your e-mail. Or save that file and search with any text editor.
|
|
|
|
NeuroticFish
Legendary
Offline
Activity: 3850
Merit: 6585
Looking for campaign manager? Contact icopress!
|
|
December 21, 2020, 02:02:08 PM |
|
People who bought Ledger HW wallet definitely should check the dump file.
I think that's still not the whole data and I fear that more may come out. I mean... they have "only" my e-mail address although I bought the device. ...and I've checked both files from the archive on github. Should we make a rule and forward all the mails related to Ledger we receive to Ledger's mail addresses? Or suing them and asking for financial compensations would make them understand better how big is the fuckup they've made?
|
|
|
|
suchmoon
Legendary
Offline
Activity: 3850
Merit: 9090
https://bpip.org
|
|
December 21, 2020, 02:14:53 PM |
|
They are claiming on Reddit that they did not lie, and the logs and investigation they performed revealed only 9,500 compromised addresses. As I said above, if they aren't lying then they are completely unaware about the security of their own systems, and someone managed to steal a quarter of million customers' details with Ledger being none the wiser. Not that it really matters - either is enough to never use them again.
Makes the recent complains about ongoing leaks not that far fetched anymore, doesn't it.
I checked a few zip codes around me and what do you know - the number of ledger buyers per zip code follows known indicators of wealth for those areas, e.g. income and real estate prices. This might turn out to be a very valuable dataset for a wannabe burglar.
|
|
|
|
Dadounet
Newbie
Offline
Activity: 8
Merit: 0
|
|
December 21, 2020, 02:22:16 PM |
|
Hi,
I just checked today and I saw all my coordinates in the leaked file: name, email, phone, address. A real nightmare. Now I'm really afraid of being attacked. Not for my money (actually, I only have a small amount of crypto.. but attackers cannot guess!), but for my personal security. What can I do?
|
|
|
|
Csmiami
Copper Member
Legendary
Offline
Activity: 1652
Merit: 1325
I'm sometimes known as "miniadmin"
|
|
December 21, 2020, 02:37:13 PM |
|
----
Or suing them and asking for financial compensations would make them understand better how big is the fuckup they've made?
A lot of posts ago, I mentioned that I was seeking legal advise. I have contacted my national data protection agency and I'm waiting for an update; although I'll have to update them on this one new discovery first... I'm posting some updated back in the local spanish board, but if there's enough interest, I can also bring the most important developments here too. I'm not seeking a personal financial compensation (although that'd be neat); but at least I'd like to see a huge fine addressed to them
|
|
|
|
Lucius
Legendary
Offline
Activity: 3416
Merit: 6150
Crypto Swap Exchange🈺
|
|
December 21, 2020, 02:40:24 PM |
|
What can I do?
Unfortunately, what few people can do just like that - and that would be to move to a new address, and change the e-mail and phone number. While it can never be ruled out that there will be a physical attack on someone because of this database, potential attackers don’t have (at least I hope they don’t) data on how much crypto we own. It's not the same to rob someone online, and break into their house or apartment - I can only say that such people will not have a good time with me - or rather, it will be their last job. For start if you don’t have security cameras and an alarm, it would be a good time to get it.
NeuroticFish&Csmiami, I think I've asked before if there is anything that can be done about it here on the forum, but I think the answer was that Ledger was pretty well protected on that. Personally, I would very much like to join a class action lawsuit.
|
|
|
|
Csmiami
Copper Member
Legendary
Offline
Activity: 1652
Merit: 1325
I'm sometimes known as "miniadmin"
|
|
December 21, 2020, 02:45:37 PM |
|
potential attackers don’t have (at least I hope they don’t) data on how much crypto we own.
Who knows, they are close sourced; something that has been vastly criticized; and maybe somewhere in the code, the device sends a report on the assets each device cointains everytime you use Ledger Live. I wouldn't be surprised if such a thing was exposed right know; considering how crazy it's been since July. I have always mentioned that the vulnerability was disclosed in July, but that we don't know how long it's been exploited; even if Ledger did delete the data after a certain amount of time, if hackers had access prior to that, well, we know how it follows.
|
|
|
|
casperBGD
Legendary
Offline
Activity: 2156
Merit: 1151
Nil Satis Nisi Optimum
|
|
December 21, 2020, 02:54:45 PM |
|
~snip Personally, I would very much like to join a class action lawsuit.
I really do not think that this is possible, it is good to check all the documents that you been checking while leaving your data on Ledger website, but I would be surprised if Ledger leaved any space for people to pull a lawsuit against them over data hacking, it is what it is, and probably we can just be mad at them and choose another provider for hardware wallets Who knows, they are close sourced; something that has been vastly criticized; and maybe somewhere in the code, the device sends a report on the assets each device cointains everytime you use Ledger Live. I wouldn't be surprised if such a thing was exposed right know; considering how crazy it's been since July.
I highly doubt that ledger live is sending data regarding your account in some central database, it would be of no use for them and highly risky for users, although I think that they cannot relate your BTC address on device with your personal data (since you create it with first use), if they can, then they would be able to have access to your mnemonic phase or private key, prior to sending you device, and that would be already exploited, so this is not the case certainly, they do not have crypto amount per user, may have per address on device (clearly doubt this as well), but this could not be related with physical person/address
|
|
|
|
suchmoon
Legendary
Offline
Activity: 3850
Merit: 9090
https://bpip.org
|
|
December 21, 2020, 03:08:15 PM |
|
Who knows, they are close sourced; something that has been vastly criticized; and maybe somewhere in the code, the device sends a report on the assets each device cointains everytime you use Ledger Live. I wouldn't be surprised if such a thing was exposed right know; considering how crazy it's been since July.
It doesn't have to be in Ledger data. If there is a leak of e-mail addresses from somewhere else, e.g. some bitcoin forum perhaps, and those e-mail addresses can be tied to assets, and you can look up a physical address in the Ledger leak - jackpot. Granted that's a lot of work with a low probability of success but someone somewhere will surely try it and will release a nicely collated list of targets just because they can.
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18747
|
|
December 21, 2020, 03:49:51 PM |
|
I really do not think that this is possible, it is good to check all the documents that you been checking while leaving your data on Ledger website, but I would be surprised if Ledger leaved any space for people to pull a lawsuit against them over data hacking Depends on French and EU law. They could very well be at fault for not storing this data in a secure environment, i.e. encrypted and offline. There is a new subreddit at /r/ledgerwalletleak which is discussing lawsuits, and there are some responses from various lawyers pasted in there which seem like there may be a case. I highly doubt that ledger live is sending data regarding your account in some central database, it would be of no use for them and highly risky for users, And no one expected that Ledger were storing everyone's personal info in one big unencrypted, unprotected, and unsecured online database, and yet, here we are. if they can, then they would be able to have access to your mnemonic phase or private key, prior to sending you device Not required. All you need to do is open Ledger Live and details of your addresses could be sent to their servers.
|
|
|
|
DaveF
Legendary
Offline
Activity: 3654
Merit: 6670
Crypto Swap Exchange
|
|
December 21, 2020, 04:52:26 PM |
|
I highly doubt that ledger live is sending data regarding your account in some central database, it would be of no use for them and highly risky for users, And no one expected that Ledger were storing everyone's personal info in one big unencrypted, unprotected, and unsecured online database, and yet, here we are. Ummm, that is how us paranoid security nutjobs think everyone stores our info. This is why I use disposable email addresses and have semi-bogus shipping info. Oh, and enjoy calling my virtual phone number that goes nowhere. Sad, but this is what it takes to be somewhat secure today. -Dave
|
|
|
|
FatFork
Legendary
Offline
Activity: 1778
Merit: 2670
Crypto Swap Exchange
|
|
December 21, 2020, 05:55:14 PM |
|
...Sad, but this is what it takes to be somewhat secure today.
This is not the answer. If I am supposed to use fake information (name, address, phone number) to use a legitimate service, then I am the one who violates the rules and regulations (in some cases, even breaking the law). And what about credit card numbers? Should I also have a fake credit card for online shopping? No, no, no. In this situation, it is very clear who is responsible.
|
|
|
|
|