New Ledger phishing mail targets individual users

[HCP]

Interestingly, they only have my email addresses, despite having made a purchase... so it would seem that the buyers database is not "complete". So, that's something I guess...

Kudos to Ledger for actually admitting that the original security log analysis was incorrect in its determination of how much data was leaked:

At the time of the incident, in July, we engaged an external security organisation to conduct a forensic review of the logs available. This review of the logs enabled us to confirm that approximately 1 million email addresses had been stolen as well as 9,532 more detailed personal information (postal addresses, name, surname and phone number) that we were able to specifically identify.

The database publicly released yesterday shows that a larger subset of detailed information has been leaked, approximately 272,000 detailed information such as postal address, last name, first name and telephone number of our customers. These details are not available in the logs that we were able to analyse.

Still, I'm not sure why they didn't just assume the worst-case scenario that everything had been taken...

[1714599589]

1714599589

[Csmiami]

I have finally received my personal email informing me about the leak, and boy is it funny to read. I'll highlight a couple of things:

We regret to inform you that you are part of the approximately 272 000 customers whose detailed personal information was accessed by the unauthorized third party. Specifically, your name and surname, and your postal address were exposed.

Not only are they late, but the specifically forget to mention that my phone number and email have also been leaked; which leads me to believe that they haven't actually checked the dumped DB.

We are still investigating, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020

I think it was suchmoon the one mentioning it; but what else do they have to investigate? Like really, the data is out in the public, they know when the vulnerability was allegedly found. If anything, they should check whether new customers' data is still there, but other than that... the oldest data to know when this party started?

The email as a whole is a copy paste, which considering the case is way too "cold" (but what could we really expect?)

[casperBGD]

if they can, then they would be able to have access to your mnemonic phase or private key, prior to sending you device

Not required. All you need to do is open Ledger Live and details of your addresses could be sent to their servers.

yeah, but how can they relate address in Ledger live with you/personally, and your physical address, I do not think that Ledger can do that, just based on addresses in the device, since they cannot know which public address will be created on the device, do they?

I will certainly follow the reddit, it would be good to close Ledger for good, if that can be, their stance on the case is really bad, they actually send you copy/paste e-mail with data that are incorrect, because you can check one in a leaked database, it is public, so one can check which data are exposed, Ledger people as well, how can they inform you different, it is stupid from them

[aesma]

They are claiming on Reddit that they did not lie, and the logs and investigation they performed revealed only 9,500 compromised addresses. As I said above, if they aren't lying then they are completely unaware about the security of their own systems, and someone managed to steal a quarter of million customers' details with Ledger being none the wiser. Not that it really matters - either is enough to never use them again.

Makes the recent complains about ongoing leaks not that far fetched anymore, doesn't it.


I checked a few zip codes around me and what do you know - the number of ledger buyers per zip code follows known indicators of wealth for those areas, e.g. income and real estate prices. This might turn out to be a very valuable dataset for a wannabe burglar.

Burglars already know that wealthy neighborhoods have wealthy people. What we should be worried about are home invaders, intent to maim and torture to get our crypto.

Maybe time to set up a decoy ledger/secondary PIN with something like 0,1BTC on it to give up to such invaders ?

[suchmoon]

Burglars already know that wealthy neighborhoods have wealthy people.

True, but now they know addresses of the ones worth visiting.

What we should be worried about are home invaders, intent to maim and torture to get our crypto.

Maybe time to set up a decoy ledger/secondary PIN with something like 0,1BTC on it to give up to such invaders ?

I thought about it - actually thought about just writing my PIN on the Ledger and handing it over - but then... how many of these decoys should I have? Will the second attacker believe me if I say that I've already been mugged?

Probably just need to make sure the insurance policies are up to date and hope for the best.

[aesma]

Such thoughts are pretty bad. I know hackers aren't all nice people but putting home addresses online like that is really nasty. On the other hand if the data is legit, then only my email has leaked.

[o_e_l_e_o]

yeah, but how can they relate address in Ledger live with you/personally, and your physical address

They will have logs of the IP addresses which make orders through their website, and they could easily keep logs of the IP addresses that each Ledger Live connects from and which addresses they query. Not saying they do do this, but it is certainly possible.

Burglars already know that wealthy neighborhoods have wealthy people.

Stealing something like a laptop or some jewellery and having to pawn them off second hand for a few hundred bucks without getting caught is one thing. Stealing tens or hundreds of thousands of dollars worth of bitcoin and knowing that you can make it untraceable is another.


Now there are reports on Reddit of people receiving scam emails about exchange accounts (notably Coinbase), as well as potential SIM swapping attacks. If you are on this list, at a minimum you should create a brand new email and move all your accounts over to this new email, and make sure you are using either a 2FA app or hardware key (NOT email or SMS) on all your accounts. Preferably change phone number too.

[casperBGD]

yeah, but how can they relate address in Ledger live with you/personally, and your physical address

They will have logs of the IP addresses which make orders through their website, and they could easily keep logs of the IP addresses that each Ledger Live connects from and which addresses they query. Not saying they do do this, but it is certainly possible.

agree, they could also note the device serial number and transmit it through ledger live to connect to your purchase, but that will sound as they are not even legitimate company at all, and their main purpose is like stealing your funds in some way, isn't it?
nevertheless, I think that they were just ignorant to their buyers, and focused to improve their sales through constant e-mails to their commercial database

Now there are reports on Reddit of people receiving scam emails about exchange accounts (notably Coinbase), as well as potential SIM swapping attacks. If you are on this list, at a minimum you should create a brand new email and move all your accounts over to this new email, and make sure you are using either a 2FA app or hardware key (NOT email or SMS) on all your accounts. Preferably change phone number too.

agree on this one, some security measures to leaked information should be taken, changing of e-mail used for the service should be first one

[dkbit98]

Situation is really bad, but that is maybe only way for people to learn how privacy is very very important and to learn how to protect themselves and not repeat same mistakes again.
Now everyone have this famous ledger lists and if we know that ledger keeps customer data information forever, and they have website full of trackers and ads so don't be surprised if they also keep track of everything including IP for using their shitty ledger live app and their website.

at a minimum you should create a brand new email and move all your accounts over to this new email, and make sure you are using either a 2FA app or hardware key (NOT email or SMS) on all your accounts. Preferably change phone number too.

I agree and in future better use PO Boxes people, in some countries they are FREE to use.
Now my GUIDE How to buy a Hardware Wallet the right way should be more popular with people 

[Betwrong]

I'm currently watching Help! Ledger Cryptocurrency Hardware Wallet Database Hack: aantonop Emergency Livestream Q&A, and since it's over 2 hours long, here's the most important parts of it, imo.

1. What happened(2 mins)

2. Ledger does not have your keys or seeds(1 min)

3. What should I do? (2 mins)

The main message:

Do not react hastily. Research first.

"Sometimes it's better to just not do anything. And this feels wrong, but it might be the best way." - Andreas Antonopoulos in this video.

[Pmalek]

Check their Terms of Service and Privacy Policy for how to go about doing so.

Their Privacy Policy states that they may keep some personal data achieved for up to 10 years if you purchased any of their devices or goods they sell. Apparently due to legal and taxing purposes. Once the required timeframe expires, they claim they will delete any records of you from their systems.

If someone wants to contact them and ask to have their personal data permanently deleted, they can do so by sending an email to privacy@ledger.fr.

[LTU_btc]

I checked leaked data and I was already ready to see full my data leaked with full name, phone number and home address, but fortunately, there is just my email address.
What I noticed that in few recent days I got more than ever phishing Ledger emails and it can't be not related with this data leak.
What is worst, this database wasn't just sold somewhere on dark web. Now it's available for everyone, so great opportunity for people with bad intentions to use it without putting any effort to get so many email addresses.

[Csmiami]

agree, they could also note the device serial number and transmit it through ledger live to connect to your purchase, but that will sound as they are not even legitimate company at all, and their main purpose is like stealing your funds in some way, isn't it?

Or they simply wanted to track their customers after the purchase to collect their consumer habits and use the data to improve their marketing... there's way too many things that could be done without any "bad" intention on their side by doing this.

Have I just created a conspiracy theory?

[aesma]

yeah, but how can they relate address in Ledger live with you/personally, and your physical address

They will have logs of the IP addresses which make orders through their website, and they could easily keep logs of the IP addresses that each Ledger Live connects from and which addresses they query. Not saying they do do this, but it is certainly possible.

Burglars already know that wealthy neighborhoods have wealthy people.

Stealing something like a laptop or some jewellery and having to pawn them off second hand for a few hundred bucks without getting caught is one thing. Stealing tens or hundreds of thousands of dollars worth of bitcoin and knowing that you can make it untraceable is another.

Sure, but in that case what matters is having addresses from the hack. In fact addresses in wealthy places might not be the best ones, as there might be better security, gated communities, police that comes quickly, alarms, CCTV, etc.

[examplens]

I received today another suspicious email, probably a continuation of all this. Sent from noreply@ledger.com-ez29-server-14-secure.es26-email-ssl.cloud
Gmail did not recognize it as a dangerous email which is strange to me, especially since there is a link with redirection in the email.

Code:

Your Device has been deactivated.

You are required to pass identification:
https://docs.google.com/document/d/e/2PACX-1vQljtzMSIcxGYPbO3vwkSMJYAP5PdG0xqhzDFyVbD9WUqBSKoezHCWqsI7KL3n33XuslU0qc-DNfauy/pub?embedded=true

Ledger Verification Team.
8N3S-L7TN2L34WN ZE0080

[Csmiami]

----

I stand myself corrected; they sent a second email that did go straight to the spam folder; you have to laugh... On said second email, they apologize for nothing, but the title adds a nice ERRATUM word; and a newly underlined phone number appears on the list of items that have been compromised. They are still missing the email address, so I guess there's still room for a ERRATUM ERRATUM? The rest of the email is exactly the same

[Pmalek]

New day brings a new phishing surprise. This time the story is directed and brought to you by our dear Prince Shaon. Prince Shaon didn't put much thought to it so he simple wrote from a gmail account. Ohh, bless him. Our prince suggests we all download his 'additional wallet' so that our accounts don't get hacked. Noble of him indeed. Too bad he signed the email like the Ledger CEO did in the genuine emails that were sent to users.

I would have preferred a signature by Prince Shaon instead. Makes me sad looking at it this way

[suchmoon]

New day brings a new phishing surprise. This time the story is directed and brought to you by our dear Prince Shaon.

Oooohhhh.... Ledger CEO being the crown prince of Nigeria would make perfect sense. Both have the habit of treating recipients of their e-mails as utter idiots.

[aesma]

The one I got was very nice, probably the best scam email I ever got, a big paragraph in good English, not a single mistake/typo. Maybe why it got through antispam filters. The sending address gave it away though as well as the fact it wants you to download something, with a link, of course.

[HCP]

They're just getting lazy now... no text... obviously fake email, no sign off... just a straight up link to Google Docs