Ledger database leak --> Phishing

[GrosWesh]

@Theymos, @everyone reading



Hi there,

I momentarily got out of my local board (french) to come and share an idea with you :

In the same way you warned the users of this forum a few months ago about a security breach affecting electrum, I humbly think that it might be good to inform the community of the dangers incurred following the receiption of phishing emails targeting ledger wallet owners.

Unfortunately this scam is rather well thought out and some people on this forum have already been tricked.

My 2 sats ! 

https://www.theblockcrypto.com/linked/82336/ledger-is-investigating-phishing-scam-that-targets-wallet-users

Thank you for reading.

[1714873795]

1714873795

[1714873795]

1714873795

[jackg]

Can you send a pm to Theymos about this? It might be something we could do with them responding to fairly fast, I saw a thread on it yesterday and it seems up to 1 million people have had their information leaked...

It might not reach them all but it'll hopefully reach some...

[GrosWesh]

Can you send a pm to Theymos about this? It might be something we could do with them responding to fairly fast, I saw a thread on it yesterday and it seems up to 1 million people have had their information leaked...

It might not reach them all but it'll hopefully reach some...

I'll pm Theymos now.


Danger has been around for latest few days already, but if something were put in place (as simple as a disclaimer) it might save some people from falling into the trap (especially since Ledger wallets are among the most used in the world).

[Saint-loup]

-snip
https://www.theblockcrypto.com/linked/82336/ledger-is-investigating-phishing-scam-that-targets-wallet-users

Thank you for reading.

A Ledger spokesperson told The Block the company has experienced "continuous phishing scams" that often involve "malicious false actors trying to compromise Ledger's integrity and customer information." The spokesperson said the company has deployed an internal task force to investigate the latest attack.

"The investigation is ongoing and at this time we cannot give any additional information but one thing is for certain Ledger will never ask you for your 24-word recovery phrase, which is a blatant sign of a phishing scam," the spokesperson told The Block.

I don't understand why Ledger doesn't sign its mails (and even its messages on other media) with a PGP key. It should be a standard in the crypto industry for all this kind of companies.  

[mk4]

Weirdly enough, I haven't received such an email even if I bought twice from Ledger's website in the past. Change your email addresses from time to time ladies and gents!

[hugeblack]

I don't think that a high percentage of users use hardware wallets, let alone Ledger, so the comparison with electrum wallet seems wrong. It is also the responsibility of the company to try according to such violations.

I don't understand why Ledger doesn't sign its mails (and even its messages on other media) with a PGP key. It should be a standard in the crypto industry for all this kind of companies.  

Most hardware wallets users are people who care more about profits than privacy and security, so it is natural that most of them do not understand how to sign a message and other things.

[Poker Player]

This is only the consequence of what happened last July. The Ledger database was hacked and the hackers got 1 million emails.

https://decrypt.co/37063/bitcoin-wallet-ledgers-database-hacked-for-1-million-emails

Ledger warned us by email and since then, the amount of spam I receive has increased a lot.

Phishing attempts are just one more step. Now they are not going to leave us alone.

Good initiative, OP, there can always be someone who's off track, although I think most of us are aware.

[Lucius]

Personally, I did not receive such an e-mail, but a week ago I received an e-mail from Ledger that something like this was happening. I believe all other Ledger users have received (or will receive such a warning) and it is up to them just to read it. Various phishing attacks on Ledger users last constantly for months or even years, and anyone who does not know that the seed should not be entered anywhere but in the device itself (HW), will become a victim regardless of all possible warnings.

In the same way you warned the users of this forum a few months ago about a security breach affecting electrum..

It would have been more accurate a few years ago, but the fact is that there were still dozens of those who were completely unaware that there was any kind of phishing attack at all. Important Announcements not a very popular board, and only 3171 clicks in almost 2 years for that thread speaks for itself.

[Rizzrack]

Seems they also use punycodes in the url

...you can see that the url is incorrect (notice the dot on the second ‘e’ => ledgėr)...

https://www.coindesk.com/phishing-attack-ledger-cryptocurrency-wallet

I enabled IDN_show_punycode in my browser settings and the ledgėr.com would look like this: xn--ledgr-9za.com

You can read more info here: UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks?

[jademaxsuy]

Probably there is no breach that has happen to ledger live system and they only got the email of ledger user to different site which has been breach. Why not others are not receiving the said email? Probably scammers uses this phishing method as mention by @erikoy in his post.

Dragnet Method - This method involves the use of spammed emails, bearing falsified corporate identification (e.g Trademarks, logos, and corporate names), that are addressed to a large class of people (e.g., customers of a particular financial institution or members of a particular auction site) to websites or pop-up windows where they are requested to enter bank or credit card account data or other personal data.

High chances that scammers are only using this method to scam other people. Well, of course let's wait and see the official announcement coming from ledger team.

[Insanerman]

Weirdly enough, I haven't received such an email even if I bought twice from Ledger's website in the past. Change your email addresses from time to time ladies and gents!

Maybe you haven't received because you gradually change your email address, in which almost 0.1 out of 10 people do, as many uses their emails in various platforms and businesses/jobs as well. Though it's a bit tiring and security really depends on your precautionary measures in your accounts, changing it would just simply make track of you with your previous email accounts. Also, phishing do only involves when a user visits a certain link. One thing that we must do is to both use this safety precaution:

Seems they also use punycodes in the url

...you can see that the url is incorrect (notice the dot on the second ‘e’ => ledgėr)...

https://www.coindesk.com/phishing-attack-ledger-cryptocurrency-wallet

I enabled IDN_show_punycode in my browser settings and the ledgėr.com would look like this: xn--ledgr-9za.com

You can read more info here: UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks?

or just don't visit external links at all, especially those that are attached within emails.

[mk4]

Maybe you haven't received because you gradually change your email address, in which almost 0.1 out of 10 people do, as many uses their emails in various platforms and businesses/jobs as well.

I still have access to that old email that I used though.

Also, phishing do only involves when a user visits a certain link.

Not in this case. The topic is about hackers/scammers taking advantage of the Ledger database that's been leaked.

[eddie13]

Most hardware wallets users are people who care more about profits than privacy and security, so it is natural that most of them do not understand how to sign a message and other things.

What? Lol
What is more secure than a ledger exactly?
Short of having a dedicated airgapped machine to make cold wallets with, what’s better?
I don’t consider my computers very safe to store coins in with electrum or such.. Ledger it is for me..
Pretty easy to sign messages from a ledger also..And probably more secure than what 90% of users are signing messages from..

Think I bought mine on amazon so I don’t think they have my email..

[Saint-loup]

I don't understand why Ledger doesn't sign its mails (and even its messages on other media) with a PGP key. It should be a standard in the crypto industry for all this kind of companies.  

Most hardware wallets users are people who care more about profits than privacy and security, so it is natural that most of them do not understand how to sign a message and other things.

They don't need to know how to sign an email, they just need to know how to check a mail PGP signature. It's not very complicated with gpg, moreover several email clients and even webmails(like proton mail for example) are doing it almost automatically. But the main goal is to dissuade scammers from trying to do it.

Most hardware wallets users are people who care more about profits than privacy and security, so it is natural that most of them do not understand how to sign a message and other things.

What? Lol
What is more secure than a ledger exactly?
Short of having a dedicated airgapped machine to make cold wallets with, what’s better?
I don’t consider my computers very safe to store coins in with electrum or such.. Ledger it is for me..
Pretty easy to sign messages from a ledger also..And probably more secure than what 90% of users are signing messages from..

Think I bought mine on amazon so I don’t think they have my email..

Using multisig wallets(one on your PC, another one on your smartphone) is also a pretty safe solution IMO.

[GrosWesh]

Weirdly enough, I haven't received such an email ...

Personally, I did not receive such an e-mail...

According to that kind of thread, lot of people did not receive any mail from Ledger when the leak occured in July.

https://www.reddit.com/r/ledgerwallet/comments/jhm12n/lets_talk_about_the_recent_fake_mail_from_ledger/

Coming back to the thread, I do not agree with the person who said a few posts ago that only greedy people use this kind of wallet and that true tech enthusiasts do not. One does not preclude the other and until proven otherwise, a cold wallet remains an excellent way to store assets.

[hilariousetc]

I got one and it does look very convincing if you don't pay attention. I actually assumed it was legit at first but don't have any money in my ledger wallet so I wasn't that bothered by it and didn't take any action. It's pretty annoying that businesses like this can't keep your details safe, especially when having them leaked could cause major thefts or much worse if your home addresses were leaked as well. I wonder if there can or will be lawsuits over stuff like this? It seems it's not that uncommon for exchanges to get compromised and people's KYC details are leaked and will always find their way onto the internet somehow which is very dangerous. If companies can't be trusted to keep this stuff safe then I think they should start to face consequences.

[bob123]

In the same way you warned the users of this forum a few months ago about a security breach affecting electrum, I humbly think that it might be good to inform the community of the dangers incurred following the receiption of phishing emails targeting ledger wallet owners.

Electrum had a (admittedly not severe at all) vulnerability.

But there is no new ledger hardware wallet vulnerability. The only risk lies in getting phishing mails, which people receive anyways.

I don't get why a forum should warn its user about phishing mails from a completely different company.
In fact, it could even lead to a perceived security, in times where there is no such warning. But those phishing mails are still being sent. 24 hours a day, 7 days a week and 52 weeks a year.


IMO unnecessary.

[Poker Player]

I got one and it does look very convincing if you don't pay attention.

Indeed.

I've just received two, identically the same. I don't know why they have sent me two. But I've checked to see what was happening and I've realized that the phishing ones come from support@ledger.cam while the one I got warning me of the phishing scam attempts came from noreply@ledger.com.

[btcltcdigger]

I've received this email also, actually 2 of them.
In the first one they had a typo and wrote " malware. malware" and few minutes later another one arrived witht the mistake corrected.

[GrosWesh]

I don't get why a forum should warn its user about phishing mails from a completely different company.
In fact, it could even lead to a perceived security, in times where there is no such warning. But those phishing mails are still being sent. 24 hours a day, 7 days a week and 52 weeks a year.


IMO unnecessary.

I understand and respect your point of view.

However i thought (probably a little naively) that highlighting such an information would be a little service (at no cost to the forum) that possibly could avoid big disappointments for some members. Basically a form of mutual aid...

But I also think bitcointalk is probably too big (so less in a family state of mind) for that. 

[UserU]

I don't get why a forum should warn its user about phishing mails from a completely different company.
In fact, it could even lead to a perceived security, in times where there is no such warning. But those phishing mails are still being sent. 24 hours a day, 7 days a week and 52 weeks a year.

Fair point.

Well I guess that being a Bitcoin-centric forum, surely there are some users that own Ledgers so it's still a piece of useful news that could come in handy.

[Poker Player]

I got one and it does look very convincing if you don't pay attention.

Indeed.

I've just received two, identically the same. I don't know why they have sent me two. But I've checked to see what was happening and I've realized that the phishing ones come from support@ledger.cam while the one I got warning me of the phishing scam attempts came from noreply@ledger.com.

I just received another such email in my inbox, even though I reported that address as phishing. They are good. The problem is, now that they have our email addresses, they are not going to stop.

If I buy another hard wallet, I will buy Trezor.

[GrosWesh]

I just received another such email in my inbox, even though I reported that address as phishing. They are good. The problem is, now that they have our email addresses, they are not going to stop.

If I buy another hard wallet, I will buy Trezor.

They are patient and vicious: the hack took place at the end of July and they waited several months before going on the offensive.

I received 3 * 2 mails (yes in duplicate each time) With variations.

I have been receiving messages on my smartphone since a few days.



Like you wrote, it's not about to stop  . (In addition, when it no longer traps many people, the data can be sold on the darknet..)

[hilariousetc]

I got one and it does look very convincing if you don't pay attention.

Indeed.

I've just received two, identically the same. I don't know why they have sent me two. But I've checked to see what was happening and I've realized that the phishing ones come from support@ledger.cam while the one I got warning me of the phishing scam attempts came from noreply@ledger.com.

I just received another such email in my inbox, even though I reported that address as phishing. They are good. The problem is, now that they have our email addresses, they are not going to stop.

If I buy another hard wallet, I will buy Trezor.

Well trezor could be hacked too. It's probably a good idea to use multiple email addresses and keep one for personal stuff and have others for everything else to minimise exposure. Any company can suffer hacks and data breaches though.

I just received another such email in my inbox, even though I reported that address as phishing. They are good. The problem is, now that they have our email addresses, they are not going to stop.

If I buy another hard wallet, I will buy Trezor.

They are patient and vicious: the hack took place at the end of July and they waited several months before going on the offensive.

They might have just been waiting for the highest bidder. The trouble is once the data is out there it goes exponential as the people who bought it will sell it onto someone else and so on and it gets cheaper and cheaper every time until it just becomes public data at some point.

[Lucius]

I received 3 * 2 mails (yes in duplicate each time) With variations.
I have been receiving messages on my smartphone since a few days.

I haven't received any phishing e-mail yet, but you say here that you received messages on your smartphone as well, do you mean text messages? I know our phone numbers have also leaked, and that somehow seems even more dangerous to me than e-mails. In addition to using SMS, there is the possibility of fake calls that will be presented as fake Ledger support, not to mention that everyone should be careful about SIM swap, so it is not smart to use compromised phone numbers for 2FA.

[Pmalek]

@Lucius
At the moment it is difficult to say how many phone numbers were leaked. Ledger initially claimed it was only 9.500 users who had data, such as full name, address, and phone numbers leaked. If I consider their most recent behavior and what crap they were focused on when they should have handled security concerns, I can't really say that I trust what they say is true.

Maybe you saw Csmiami-s post from a few days ago. Ledger stated they contacted each of the 9.500 users who had all their personal data leaked. Csmiami received a fake SMS message, but he never received that personalized email that Ledger promised they would send their users to warn them.

That could mean that they forgot to send him an email, or the compromise is much bigger than what they initially thought. He could also be lying (which I don't think he is) or he forgot he received the initial email. Or it could mean that Ledger is lying or they don't know the extent of the hack.

This was Csmiami-s post:

Surprise surprise; I've checked back all the emails Ledger sent me around that time, and besides the general email (saying the same that the blog entry says), I did not receive any "dedicated email", but what I have received is a SMS addressing me by the name I provided to the company at the time I made my only purchase to them. This leads me to believe that I was between those alleged 9.500 users, but was never notified.

[Csmiami]

As I've been mentioned here, I'd like to correct a small misconception I've read on the thread:

The hack didn't take place in July; it was detected in July, and no report has been published saying when thta did happen, so one can only imagine how many data they've been able to steal over the...months? years?

Apart from that, I contacted Ledger to double check (I mean, it was obvious but still) whther the SMS I received was fake or not; and they confirmed it was fake; but did mention nothing about me being part of those alleged 9500 people. The rest of the reply was a copy paste BS about opsec. And I know it was a copy-paste because I've mentioned the word SMS 3 times in my original email, and they responded with a "the email you received...."

Hope this couple of clarifications make you think a bit...

[GrosWesh]

I received 3 * 2 mails (yes in duplicate each time) With variations.
I have been receiving messages on my smartphone since a few days.

I haven't received any phishing e-mail yet, but you say here that you received messages on your smartphone as well, do you mean text messages? I know our phone numbers have also leaked, and that somehow seems even more dangerous to me than e-mails. In addition to using SMS, there is the possibility of fake calls that will be presented as fake Ledger support, not to mention that everyone should be careful about SIM swap, so it is not smart to use compromised phone numbers for 2FA.

Yep i mean Sms.

In this message, i was advised to connect to their site at the following address :



I entered this address on a pc and here is the result 




Regarding fake calls from 'Ledger' I cannot be trapped since i decided not to use my ledger anymore. I'm very angry with my Nanox but that's another whole subject (access problems 'Failed to sign with Ledger device: U2F TIMEOUT').


And yes unfortunately, the risk of sim swapping is increased in this case.

As I've been mentioned here, I'd like to correct a small misconception I've read on the thread:

The hack didn't take place in July; it was detected in July, and no report has been published saying when thta did happen, so one can only imagine how many data they've been able to steal over the...months? years?

Apart from that, I contacted Ledger to double check (I mean, it was obvious but still) whther the SMS I received was fake or not; and they confirmed it was fake; but did mention nothing about me being part of those alleged 9500 people. The rest of the reply was a copy paste BS about opsec. And I know it was a copy-paste because I've mentioned the word SMS 3 times in my original email, and they responded with a "the email you received...."

Hope this couple of clarifications make you think a bit...

So true !

[Daltonik]

Meanwhile, according to the telegram channel @Goldfoundinshit TM, funds stolen from the owners of the Ledger wallet have started to move.
From the wallet address bc1q9g52wp96ndzma850jl2ncummwsxzrj0alwd6js where there were 107 BTC scammers brought bitcoins to 2 addresses:

bc1qrzpl4y8qvpngkfqdh9apjs8maajp4fvkzk3exa - 51.9 BTC
 bc1qr93x4pwnwk9cqtp8jj0myqkwrudh9a0acjqxjl - 55.47 BTC

The screenshot shows a graphic image of the movement of funds as a result of a phishing attack on wallet owners, where the victims ' transactions to the phishing address are represented as rays, and the unspent outputs are represented as cubes.

[GrosWesh]

I'm posting here again because there is something new and unfortunately the phishing and other scams attempts are not about to stop since someone has made the stolen database available for free on 'raidforums'.

https://twitter.com/JimmyMcShill/status/1340733120610447365

Ledger confirmed 

https://twitter.com/Ledger/status/1340769565639233536

[Pmalek]

We can now expect new phishing campaigns by various individuals and hacking groups. The first series of attacks were well-composed and looked pretty good compared to the usual phishing spam by partially illiterate rejects. Now everyone can get access to the database, if in fact it is the real database and not something malware infected.

[hilariousetc]

I'm posting here again because there is something new and unfortunately the phishing and other scams attempts are not about to stop since someone has made the stolen database available for free on 'raidforums'.

https://twitter.com/JimmyMcShill/status/1340733120610447365

Ledger confirmed 

https://twitter.com/Ledger/status/1340769565639233536

It's always only a matter of time before these things go public. The data gets cheaper and cheaper as people resell it on to as many people as they can until it practically becomes worthless or worth very little and finally some cunt just releases it for free. It seems it's behind some sort of a paywall though (if you can call it that) but for only 8 of their forum credits which can either be purchased for less than 8 euros or even earned for free there (I guess they have a similar sort of merit system there as to here where you can reward posts and data leaks etc).

Does anyone know if there's a way to search what data has been released from ledger? It seems that some people only had their emails leaked whilst others had their full addresses and phone numbers. I wonder if there'll be lawsuits over this?

We can now expect new phishing campaigns by various individuals and hacking groups. The first series of attacks were well-composed and looked pretty good compared to the usual phishing spam by partially illiterate rejects. Now everyone can get access to the database, if in fact it is the real database and not something malware infected.

I've had a couple of half-assed attempts already the past couple of days.

[DdmrDdmr]

<…> Now everyone can get access to the database, if in fact it is the real database and not something malware infected.

It look very real to me, much more that we’d like it to be... there are two files:

- The personal data file (purchases) has full contact information for:
8k Spain
17k France
23k Germany
And so on, bearing email, name & surnames, full address and phone number.

- The email has over 1M emails.

What a fuckup … One that does warrant a lawsuit (I’ve seen some talk about it here and there, but not sure how committed the initiatives are).

[Pmalek]

What a fuckup … One that does warrant a lawsuit (I’ve seen some talk about it here and there, but not sure how committed the initiatives are).

I guess someone could file a complaint against Ledger if he suffered financial loss. Not sure what the law is in cases like this were data is leaked but it didn't lead to financial loss. Maybe claiming that the privacy leak caused you distress, sleepless nights, and emotional trauma. It could probably work in the US, but Europe...   

[Lucius]

Does anyone know if there's a way to search what data has been released from ledger? It seems that some people only had their emails leaked whilst others had their full addresses and phone numbers. I wonder if there'll be lawsuits over this?

Just use link from GitHub posted by xoso, click on Ledger.rar -> Go to file -> Click on View Raw and there you can search in buyer txt file or All emails file inside your browser by using CTRL+F.

Thanks, @suchmoon for reminded me of how to search for something inside browser.

[mole0815]

Just received the official mail from noreply@ledger.com

Security Notice
What happened?
We contacted our customers last July to tell them that part of our e-commerce marketing database had been leaked.

Yesterday we were informed about the dump of the content of a Ledger customer database on Raidforum. We believe this to be the contents of our e-commerce database from June, 2020. For specific questions please refer to the FAQ, which we will continue to update to address your concerns.

What information was involved?
At the time of the incident, in July, we engaged an external security organisation to conduct a forensic review of the logs available. This review of the logs enabled us to confirm that approximately 1 million email addresses had been stolen as well as 9,532 more detailed personal information (postal addresses, name, surname and phone number) that we were able to specifically identify.

The database publicly released yesterday shows that a larger subset of detailed information has been leaked, approximately 272,000 detailed information such as postal address, last name, first name and telephone number of our customers. These details are not available in the logs that we were able to analyse.

If you are part of the detailed personal information subset, you will receive a specific email notifying you within the next 24 hours (check your spam box).

It is important to note that this data breach is not linked to our hardware wallets nor Ledger Live security and your crypto assets are safe and not in peril of being compromised. Due to our comprehensive security scheme, attackers cannot steal your sensitive information like recovery phrases and private keys unless you give it to them. You are the only one in control and able to access this information. DO NOT GIVE YOUR 24 WORDS TO ANYONE. Ledger will NEVER ask you for your 24 words.

What we are doing
Since July, we notified our clients in several communications via email, blog posts, and Twitter. We are doing everything possible to make Ledger stronger for the future. We have hired a new Chief Information Security Officer (CISO). We are further hardening our already strong systems and have thoroughly reviewed our data policy. We executed penetration tests and forensic analysis with external security firms to test these and find any additional vulnerabilities on our e-commerce systems.

We are continuously working with law enforcement to prosecute hackers and stop these scammers. We have taken down more than 170 phishing websites since the original breach. We have notified the French data protection authority regarding the data breach and are working with other data protection authorities across the world. Our Customer Support team is working 24/7 to answer your questions.

We are doing everything we can to proactively deal with this critical situation and prevent anything similar in the future. We wish we could turn back the hands of time and make this problem disappear. Unfortunately we cannot, so we are focused on today and the future. Please be sure we are more focused than ever on security in every part of our customer experience.

What you can do
We recommend you exercise caution -- always be mindful of phishing attempts by malicious scammers. Ledger will never ask you for the 24 words of your recovery phrase, not even in Ledger Live. Ledger will never contact you via text messages or phone call.

Furthermore, while we do all we can, we suggest you visit the security section of Ledger Academy to educate yourself on general security principles and more precisely our article about phishing attacks. Also, familiarize yourself with the anatomy of these ongoing phishing campaigns and report any phishing you experience on this dedicated page.

If you want to know if your information may have been exposed previously head to https://haveibeenpwned.com/

We have taken immediate action to resolve the damage, and are diligently working to protect all customer information. We are extremely regretful that this incident impacts our customers and recognize it will take time to restore your confidence. We will do everything in our power to show you that this has made Ledger better, stronger, and more secure.

Sincerely,
Pascal Gauthier
CEO, Ledger

This page contains all the latest info and will be used as a source of info in the future:
https://support.ledger.com/hc/en-us/articles/360015559320-E-commerce-and-Marketing-data-breach-FAQ

[UserU]

Just received the official mail from noreply@ledger.com

Was it categorized under Spam? I received 2, most probably the one you quoted earlier but I didn't want to click on either because of the compromise.

[mole0815]

Just received the official mail from noreply@ledger.com

Was it categorized under Spam? I received 2, most probably the one you quoted earlier but I didn't want to click on either because of the compromise.

The official mails are very rarely blocked and come from @ledger.com

The other Mails often ends up in spam.
Always check the sender (even better header) and always, always, always! be careful.

Some other infos: https://support.ledger.com/hc/en-us/articles/360035343054-Beware-of-phishing-attempts

[TryNinja]

Was it categorized under Spam? I received 2, most probably the one you quoted earlier but I didn't want to click on either because of the compromise.

Mine went to the Spam folder (also from noreply@ledger.com).

I already received 2 phishing emails since yesterday. One of them from "Ledger Alerts", asking me to do a KYC to "unlock" my wallet. =/

[GrosWesh]

I already received 2 phishing emails since yesterday. One of them from "Ledger Alerts", asking me to do a KYC to "unlock" my wallet. =/

I also received 4 phishing emails and 2 phone calls today ...

A lot of people will grab the data n try to launch small scams ...

I think i'll have to change email and phone number ... ty ledger 

[Poker Player]

I could see the data and I'm happy that my personal details are not in the documents leaked. Maybe because I bought the Ledger a few years back? My email is there but I already knew that. Also, I don't hold a lot of bitcoin but I would feel uneasy if I knew my full name and address had been leaked.

[UserU]

Was it categorized under Spam? I received 2, most probably the one you quoted earlier but I didn't want to click on either because of the compromise.

Mine went to the Spam folder (also from noreply@ledger.com).

I already received 2 phishing emails since yesterday. One of them from "Ledger Alerts", asking me to do a KYC to "unlock" my wallet. =/

Same, I noticed one had a bunch of strings attached (xxxxxxx.no-reply@ledger.com) and the other was just no-reply@ledger.com.

Now those people are gonna have a field day spam calling and emailing the hell out of us.

[Pmalek]

Just use link from GitHub posted by xoso, click on Ledger.rar -> Go to file -> Click on View Raw and there you can search in buyer txt file or All emails file inside your browser by using CTRL+F.

Do you mean that you can view the contents of the file without actually downloading and extracting it on your computer? I couldn't do it the first time. When I clicked on 'View Raw' it said that the file is too big and automatically initiates a download. I don't feel like downloading something from a user I don't know. Now it also seems that xoso's post got deleted.

[Rikafip]

Do you mean that you can view the contents of the file without actually downloading and extracting it on your computer? I couldn't do it the first time. When I clicked on 'View Raw' it said that the file is too big and automatically initiates a download. I don't feel like downloading something from a user I don't know. Now it also seems that xoso's post got deleted.

@btcltcdigger shared the list in our local board, so no need to download anything.

Skinuo sam ja.
Imas ovdje sve https://realt.services/ledger/

Luckily I am not among those with personal details leaked, and I am sure it isn't fun at all seeing your name, address and even phone number. My email is leaked though, but no spam as of yet.

[hilariousetc]

I could see the data and I'm happy that my personal details are not in the documents leaked. Maybe because I bought the Ledger a few years back? My email is there but I already knew that. Also, I don't hold a lot of bitcoin but I would feel uneasy if I knew my full name and address had been leaked.

It probably depends on whether you asked them to store your details or not. The hack happened in June 2020, and they said 1 million email addresses were leaked but only 10k users personal details were included (addresses, phone numbers etc).

Just use link from GitHub posted by xoso, click on Ledger.rar -> Go to file -> Click on View Raw and there you can search in buyer txt file or All emails file inside your browser by using CTRL+F.

Do you mean that you can view the contents of the file without actually downloading and extracting it on your computer? I couldn't do it the first time. When I clicked on 'View Raw' it said that the file is too big and automatically initiates a download. I don't feel like downloading something from a user I don't know. Now it also seems that xoso's post got deleted.

Same thing happened to me, but I managed to view it in the end. My details aren't on there thankfully, but I got emails from Ledger saying my details were included. Not sure what's going on.

Luckily I am not among those with personal details leaked, and I am sure it isn't fun at all seeing your name, address and even phone number. My email is leaked though, but no spam as of yet.

Yeah. A lot of people from this forum could be exposed if they used the same email address they used to sign up to the forum. I wonder if any real world robberies will be attempted because of this? It's really not a nice thought to think that nefarious individuals will have your address and phone number and know that you're involved in bitcoin in some capacity. I guess it would be hard to target idividuals because you don't know whether they have 1 dollar in bitcoin or millions.

[GrosWesh]

Same thing happened to me, but I managed to view it in the end. My details aren't on there thankfully, but I got emails from Ledger saying my details were included. Not sure what's going on.

fortunately you seem not to be on 'full data' list (name+add etc...). A second db provides tons of mails that were linked to ledger in another way (mostly newsletter).

[Marvelman]

Yeah. A lot of people from this forum could be exposed if they used the same email address they used to sign up to the forum. I wonder if any real world robberies will be attempted because of this?

Reportedly, there are some users on Reddit who have received personal threats and ransom emails based on the personal information exposed. A very disturbing thought.

Lots of reports on Reddit of people receiving ransom emails with their real name and address, and demanding payment to not be physically attacked. Horrendous.
[snip]

[Rikafip]

I wonder if any real world robberies will be attempted because of this? It's really not a nice thought to think that nefarious individuals will have your address and phone number and know that you're involved in bitcoin in some capacity. I guess it would be hard to target idividuals because you don't know whether they have 1 dollar in bitcoin or millions.

To be honest, I would be surprised if that didn't happen, dodgy characters checking list and trying to find people from their cities/neighbourhoods etc. Their line of thinking could be something like this "If he bought hardware wallet, that means he has decent amount of crypto, as why else would he invest in one if he has few hundreds of dollars worth of crypto". Add on that current bitcoin price, so you don't need to have 10 or 20 BTC in order for someone to try something stupid.

It's been never easier to track someone, with all those social media platforms where people share every aspect of their lives. Where they work, where they drink, where they eat etc..

[hilariousetc]

Same thing happened to me, but I managed to view it in the end. My details aren't on there thankfully, but I got emails from Ledger saying my details were included. Not sure what's going on.

fortunately you seem not to be on 'full data' list (name+add etc...). A second db provides tons of mails that were linked to ledger in another way (mostly newsletter).

Yeah, maybe, but I have ordered from them before so not sure why they would only have my email.

Yeah. A lot of people from this forum could be exposed if they used the same email address they used to sign up to the forum. I wonder if any real world robberies will be attempted because of this?

Reportedly, there are some users on Reddit who have received personal threats and ransom emails based on the personal information exposed. A very disturbing thought.

Lots of reports on Reddit of people receiving ransom emails with their real name and address, and demanding payment to not be physically attacked. Horrendous.
[snip]

As nasty as that is I think most of them will just be hollow threats hoping they can spook you into paying them. It's like the spam blackmail emails you get asking for payment to not release the webcam 'footage' they apparently have on you. Obviously there is no footage but they're hoping people will be worried enough and just cough up the money. I would advise anyone getting any of these sorts of emails to just ignore them. Maybe change your phone number or just block the numbers if they're getting nuiscans calls and texts but these attacks will probably die down quite quickly. Your data will always be out there now though so might be best getting a new number and email if you're worried.

Hopefully this is a warning/wake up call for everyone that your data is never truly safe with any third party and to take extras safety measures to prevent your details in case they are ever leaked like this.

[Lucius]

Do you mean that you can view the contents of the file without actually downloading and extracting it on your computer?

Exactly, even though that notice still stands there, I can still see all the data without downloading it. I can't say why this option works for some and not for others, maybe it's about internet speed, or it has something to do with the browser. Someone deleted a post with a link, but there is another one in Development & Technical Discussion.

Same thing happened to me, but I managed to view it in the end. My details aren't on there thankfully, but I got emails from Ledger saying my details were included. Not sure what's going on.

Nothing surprises me anymore when it comes to Ledger, because if you're not on the list, why send a notification that you actually are, and in that way confuse you Somehow it seems to me that this circus has no end in sight, who knows what other surprises Ledger is preparing for us.

Yeah. A lot of people from this forum could be exposed if they used the same email address they used to sign up to the forum.

But that e-mail address should only be visible to the admin/s and maybe to the mods if that rule applies when reporting post to moderator (although I think you once mentioned that this is not the case). Maybe you are referring to email addresses that have become publicly available in hacking our forum database back in 2015?

I guess it would be hard to target idividuals because you don't know whether they have 1 dollar in bitcoin or millions.

I’ve already commented in another thread that it’s not the same to rob someone online compared to physical robbery - like you say there’s no point in randomly attacking people without knowing how much they actually own. However, with all the available information, I have no doubt that there will be no attempted physical robberies that will be preceded by fake calls or messages from tax administrations or something similar.

[lovesmayfamilis]

In addition to the fact that many people were scared by the pandemic in 2020, Ledger owners today also fear for their lives due to their data leaks. People start to fear for their families.
 I think those who have accumulated a beautiful amount will be worried. But the scammers themselves will likely spend a lot of effort to find out more accurate information, and this also takes time. Therefore, you should not panic. There is a time for a cold mind and thinking about your next actions.
This once again reminded everyone to take care of their privacy. But everyone also understands that there was the fact that everyone trusted this device, and like when opening a bank card, users entered their exact data. Today news came out that Ledger will not reimburse the costs of users whose data has been opened.

https://decrypt.co/52215/ledger-wont-reimburse-users-after-major-data-hack

[hilariousetc]

But that e-mail address should only be visible to the admin/s and maybe to the mods if that rule applies when reporting post to moderator (although I think you once mentioned that this is not the case). Maybe you are referring to email addresses that have become publicly available in hacking our forum database back in 2015?

I don't think staff could ever see their emails contrary to what the message said (I could be wrong but I don't remember ever seeing them), but yeah I'm referring to the forum database leak. It would be very easy to match those emails to the ledger ones and you would then have someone's full dox. If you knew they were a member that likely had or does have a bit of money then they would probably be easy targets.

In addition to the fact that many people were scared by the pandemic in 2020, Ledger owners today also fear for their lives due to their data leaks. People start to fear for their families.
 I think those who have accumulated a beautiful amount will be worried. But the scammers themselves will likely spend a lot of effort to find out more accurate information, and this also takes time. Therefore, you should not panic. There is a time for a cold mind and thinking about your next actions.
This once again reminded everyone to take care of their privacy. But everyone also understands that there was the fact that everyone trusted this device, and like when opening a bank card, users entered their exact data. Today news came out that Ledger will not reimburse the costs of users whose data has been opened.

https://decrypt.co/52215/ledger-wont-reimburse-users-after-major-data-hack

It's obvious they wouldn't refund people just like most banks won't if you personally were responsible for sending the funds yourself. Doing so would also just open them up to massive fraud as people could just send funds to another address and claim they were hacked and there's no way to verify fake from real there. At the end of the day people are still responsible for the own money even with this hack and people probably shouldn't be falling for phishing attacks like this.

[GrosWesh]

An interesting replay of a discussion relating to this ledger db public leak is available on youtube.

They speak in particular of potential sim swaps and this part starts at 00h35

Andreas Antonopoulos
Taylor monahan
Jameson lopp
Peter McCormack

https://www.youtube.com/watch?v=uKCMx8nqQhY

(If someone got a link to the video antonopoulos is speaking about at 41mn45sec i'd be really interested as i looked for it in vain).

[Saint-loup]

I could see the data and I'm happy that my personal details are not in the documents leaked. Maybe because I bought the Ledger a few years back? My email is there but I already knew that. Also, I don't hold a lot of bitcoin but I would feel uneasy if I knew my full name and address had been leaked.

It probably depends on whether you asked them to store your details or not. The hack happened in June 2020, and they said 1 million email addresses were leaked but only 10k users personal details were included (addresses, phone numbers etc).

Yes but now they admit they were wrong. Personal informations of 272 000 users have been leaked.

The determination of the number of personal details (name, physical address, phone number) that was made in July 2020 was based on the forensic analysis of our third-party security consultancy who have advised there was only evidence of 9,500 impacted persons. These logs only specifically identified just over 9,500 individuals for whom more personal details information was obtained by the attackers. We can now verify from the published database that detailed information (name, postal address, phone number) of about 272.000 users were obtained, which corresponds to our e-commerce database as of June 2020.

https://support.ledger.com/hc/en-us/articles/360015559320-E-commerce-and-Marketing-data-breach-FAQ

[Poker Player]

I could see the data and I'm happy that my personal details are not in the documents leaked. Maybe because I bought the Ledger a few years back? My email is there but I already knew that. Also, I don't hold a lot of bitcoin but I would feel uneasy if I knew my full name and address had been leaked.

It probably depends on whether you asked them to store your details or not. The hack happened in June 2020, and they said 1 million email addresses were leaked but only 10k users personal details were included (addresses, phone numbers etc).

I probably asked them not to. Anyway, I just sent them a ticket through support asking them to remove my email address and any data they have on my from their database.

Does anyone know if they are obliged by law? In some countries there is such a law whereby if I ask private company to remove any data they have on me, they have to remove it.

I know that the leak has happened already but I'm quite pissed of with them. I think ledger live is ****. You can't sign messages with it, for example.

If there are news about ledger that concern me I will know through the forum or other sources.

[LoyceV]

I probably asked them not to. Anyway, I just sent them a ticket through support asking them to remove my email address and any data they have on my from their database.

Does anyone know if they are obliged by law? In some countries there is such a law whereby if I ask private company to remove any data they have on me, they have to remove it.

They're a French company, so it falls under the GDPR (General Data Protection Regulation). However, the implementation may vary per member state. In my country a company could ask to provide evidence you are who you say you are before removing your data, and in practice that often comes down to sending them a copy of your legal ID.
That's usually not something you want to give to a company you don't trust with personal data.

[UserU]

They're a French company, so it falls under the GDPR (General Data Protection Regulation). However, the implementation may vary per member state. In my country a company could ask to provide evidence you are who you say you are before removing your data, and in practice that often comes down to sending them a copy of your legal ID.
That's usually not something you want to give to a company you don't trust with personal data.

That actually exists? And even if you comply, they might not even delete/ trash the documentation you give...

[Csmiami]

It probably depends on whether you asked them to store your details or not. The hack happened in June 2020, and they said 1 million email addresses were leaked but only 10k users personal details were included (addresses, phone numbers etc).

Not to be repetitive on this one; but the hack didn't happen on June; it was detected (and allegedly fixed) in June. We can only speculate as for how long this had been going on...
I'm surprised your data wasn't leaked but you still got the email; that could mean that ledger is playing it safe this time and sending that generic email to every user that ever bought from them, "just to be safe" (but again, speculating)

[notblox1]

Everybody is talking about this Ledger leak on forum, on social media and on youtube
What do you think guys, what would Satoshi Nakamoto do? Would Satoshi buy Ledger wallet and used his real name and address when we know how important privacy was for him?
We are (not) all Satoshi 

[Marvelman]

Everybody is talking about this Ledger leak on forum, on social media and on youtube
What do you think guys, what would Satoshi Nakamoto do? Would Satoshi buy Ledger wallet and used his real name and address when we know how important privacy was for him?
We are (not) all Satoshi 

Yeah, difficult to say. He may really be Satoshi Nakamoto, as far as we know. I don't think anybody has effectively proved that it was either an alias or his real name.

[hilariousetc]

They're a French company, so it falls under the GDPR (General Data Protection Regulation). However, the implementation may vary per member state. In my country a company could ask to provide evidence you are who you say you are before removing your data, and in practice that often comes down to sending them a copy of your legal ID.
That's usually not something you want to give to a company you don't trust with personal data.

That actually exists? And even if you comply, they might not even delete/ trash the documentation you give...

Well I think they legally have to comply if they're in the EU, but yeah, there's no guarantees the details you send them won't be leaked somehow either.

I'm surprised your data wasn't leaked but you still got the email; that could mean that ledger is playing it safe this time and sending that generic email to every user that ever bought from them, "just to be safe" (but again, speculating)

My email is on the marketing list. Surprised but also glad it isn't on the other one.

Everybody is talking about this Ledger leak on forum, on social media and on youtube
What do you think guys, what would Satoshi Nakamoto do? Would Satoshi buy Ledger wallet and used his real name and address when we know how important privacy was for him?
We are (not) all Satoshi 

Well I'm sure he's bought stuff online before but it's irrelevant if you don't know what his name is. His real world details could be on that list for all we know. Or maybe he's a total ghost after creating bitcoin and doesn't do anything online that could compromise his identity. He could just live his life as normal though as he could just be a random unexciting Joe Bloggs to everyone that knows him.

[Daltonik]

Ledger-leak. The case becomes life threatening for the owners.
The owner of the Ledger wallet was called by a man who demanded 10XMR, promising otherwise to come to his home by midnight, steal him, beat all his relatives to death.
The man who received the call turned to law enforcement agencies. The police sent a car for security. https://www.reddit.com/r/ledgerwalletleak/comments/ki1nsz/received_phone_call_threatening_kidnapping_and/  https://twitter.com/RainDogDance/status/1341373495964479489

 

[UserU]

Here it comes, phishing attack.

[Poker Player]

I received no response from them regarding my request to have my data deleted. I just put them on junk mail list. All ledger emails no matter if they are legit or not and I have uninstalled Ledger Live. I don't know if this is too paranoid but I don't want them knowing how much I have (which is not a lot btw). I just don't want to have to deal with them any more.

[FIFA worldcup]

Ledger-leak. The case becomes life threatening for the owners.

Yes, i have also heard few people complaining this because scammers are now threating people and asking for demands not complying may result in raid to their houses. The scammers know who have bitcoins and they are exploiting this. 

I received no response from them regarding my request to have my data deleted. I just put them on junk mail list. All ledger emails no matter if they are legit or not and I have uninstalled Ledger Live. I don't know if this is too paranoid but I don't want them knowing how much I have (which is not a lot btw). I just don't want to have to deal with them any more.

Are you asking them to remove your data from ledger ? This is no point of doing this now because your data has been comprised and is with the scammers.

 

[Pmalek]

I received no response from them regarding my request to have my data deleted.

They are not going to remove your data. French and EU laws force them to keep certain records for up to 10 years. At least that is what they say and write in their Privacy Policy.

I don't know if this is too paranoid but I don't want them knowing how much I have (which is not a lot btw). I just don't want to have to deal with them any more.

It is paranoid. If you have been using Ledger Live for years and you think they have an overview of what assets you have, how will it help uninstalling the software now after already using it? If you are getting rid of it because of its lack of quality, that's understandable.

[GrosWesh]

The scammers know who have bitcoins and they are exploiting this.  

I allow myself to correct: 'they know who is more likely owning btc': you may have been disinterested in btc since a long time, have bought a few sats to try or even purchased one hardware wallet to offer ... Not sure that knocking on each door is interesting ...

[lovesmayfamilis]

There are already victims whose data has been leaked to the network. Recently it was reported about a user who had $2,000 stolen. As soon as he learned about the hack, he decided to change the password on the device, and then he received a notification that a new device was added to his account with two-factor authentication.
You can read it in full at the link
https://www.coindesk.com/ledger-leak-sim-swap-home-invasion-threats

https://twitter.com/jimbochewdip/status/1341181907707572230?s=20

[Rizzrack]

Ironically the best place to store crypto for Ledger owners is the Ledger itself.
I feel for these people that suffered losses because of the leak but some precautions were necessary since day 1. Like remove any 2fa with phone number, do not leave the funds on exchange and lay low. SIM swapping would have been the hacker's first choice. Guess the current bull trend is not helping in that regard.
Stay safe and be smart!
By the looks of it this type of db breach will be more and more of an issue going forward.

[Lucius]

lovesmayfamilis, as far as SIM swaps are concerned, the entire responsibility in this process is on the mobile providers who generally behave very irresponsibly and do great harm to their users. In some countries, it is enough to have exactly this data that was stolen from Ledger and call the mobile provider and request that the number be redirected to the new SIM.

I personally had the experience that I had to change my SIM card and I went to the physical branch of my mobile operator with ID and old SIM card, and all they asked me for was a mobile phone number - I got a new SIM in less than 1 minute.

Therefore, for all who use 2FA via their mobile number, it is necessary to change the number as soon as possible - and until then, if possible, turn off 2FA because it is a backdoor that will be used by many who have bad intentions.

[LoyceV]

Therefore, for all who use 2FA via their mobile number, it is necessary to change the number as soon as possible - and until then, if possible, turn off 2FA because it is a backdoor that will be used by many who have bad intentions.

2FA by phone number is as bad as answering "secret questions" to regain access. A couple months ago I clicked "forgot password" in Gmail, and I was surprised how easy it is! That's great for large corporations, because they must have millions of users per month who need to recover their password, and an automated system makes that very cheap to do. But it's terrible for security, so I disabled as much of it as I could. No more recovery emails, and no connected phone number.
Unfortunately, more and more websites demand 2FA. I hate it! It's painstakingly slow to "quickly" login, and if anything it's less secure than just my password. Google Authenticator seems more secure (unless you use it to login on the same phone), but it doesn't provide a recovery phrase, so if your phone breaks, you'll have to go through support of all connected websites to recover your account.

[GrosWesh]

Google Authenticator seems more secure (unless you use it to login on the same phone), but it doesn't provide a recovery phrase, so if your phone breaks, you'll have to go through support of all connected websites to recover your account.

That's why it is so important to back up (outside the computer) either the recovery code given on 2fa creation or the associated qr code. 

[malevolent]

fortunately you seem not to be on 'full data' list (name+add etc...). A second db provides tons of mails that were linked to ledger in another way (mostly newsletter).

Yeah, maybe, but I have ordered from them before so not sure why they would only have my email.

How long ago did you buy them? Somewhere on reddit I've seen Ledger claiming to have >2 million customers. They could have lied about the number but I wonder if they kept the addresses for as long as the warranty lasted which differs from jurisdiction to jurisdiction (the legal minimum is usually at least 2 years in the EU but often less than that elsewhere).

But that e-mail address should only be visible to the admin/s and maybe to the mods if that rule applies when reporting post to moderator (although I think you once mentioned that this is not the case).

I can confirm that that is no longer the case.

I don't think staff could ever see their emails contrary to what the message said (I could be wrong but I don't remember ever seeing them), but yeah I'm referring to the forum database leak. It would be very easy to match those emails to the ledger ones and you would then have someone's full dox. If you knew they were a member that likely had or does have a bit of money then they would probably be easy targets.

All mods also used to get reports via email and along with that the reporter's email address would be included. I don't know if notifications settings changes affected that but afaik everyone or almost everyone used to get these emails.

They are not going to remove your data. French and EU laws force them to keep certain records for up to 10 years. At least that is what they say and write in their Privacy Policy.

Maybe French laws, but it's not EU laws that would force them to keep records for that long. It wouldn't hurt if they bothered to specify what they mean by "some transactional data". Satoshi Labs (Trezor) claims to sensitive delete user data after 90 days, and they're also in the EU.

[hilariousetc]

Unfortunately, more and more websites demand 2FA. I hate it! It's painstakingly slow to "quickly" login, and if anything it's less secure than just my password. Google Authenticator seems more secure (unless you use it to login on the same phone), but it doesn't provide a recovery phrase, so if your phone breaks, you'll have to go through support of all connected websites to recover your account.

If support easily deactivates 2fa then it's mostly useless anyway. 2 factor apps should probably require finger print unlocks. You're not going to forget your fingerprint and someone needs access to your device for that. Sadly, there's always going to be times when 2fs will need to be reset or removed and that's where the weakness is.

There are already victims whose data has been leaked to the network. Recently it was reported about a user who had $2,000 stolen. As soon as he learned about the hack, he decided to change the password on the device, and then he received a notification that a new device was added to his account with two-factor authentication.
You can read it in full at the link
https://www.coindesk.com/ledger-leak-sim-swap-home-invasion-threats

https://twitter.com/jimbochewdip/status/1341181907707572230?s=20

I wouldn't believe everything anonymous twitter accounts say. I'm not saying this hasn't happened and we shouldn't downplay the threat of it but I'm sure a lot of accounts will just be trolling or spreading fud and sim swapping is still quite rare. Phone providers probably should make the process more secure though and there must be ways that they can prevent the wrong person from getting the sims.

fortunately you seem not to be on 'full data' list (name+add etc...). A second db provides tons of mails that were linked to ledger in another way (mostly newsletter).

Yeah, maybe, but I have ordered from them before so not sure why they would only have my email.

How long ago did you buy them? Somewhere on reddit I've seen Ledger claiming to have >2 million customers. They could have lied about the number but I wonder if they kept the addresses for as long as the warranty lasted which differs from jurisdiction to jurisdiction (the legal minimum is usually at least 2 years in the EU but often less than that elsewhere).

I honestly can't remember but pretty sure it was more than 3 years ago. Maybe they only saved the address they were given consent to do so, or the addresses leaked were ones from more recently.

I don't think staff could ever see their emails contrary to what the message said (I could be wrong but I don't remember ever seeing them), but yeah I'm referring to the forum database leak. It would be very easy to match those emails to the ledger ones and you would then have someone's full dox. If you knew they were a member that likely had or does have a bit of money then they would probably be easy targets.

All mods also used to get reports via email and along with that the reporter's email address would be included. I don't know if notifications settings changes affected that but afaik everyone or almost everyone used to get these emails.

I think I had those notifications turned off, or at the least they were blocked by my email provider so I don't think I ever got them.

[Csmiami]

I honestly can't remember but pretty sure it was more than 3 years ago. Maybe they only saved the address they were given consent to do so, or the addresses leaked were ones from more recently.

I know a person affected that bought it aproximately 2.5 years ago; so if you bought it 3 years ago, that kind of pinpoints the beginning of the leak

[Marvelman]

I honestly can't remember but pretty sure it was more than 3 years ago. Maybe they only saved the address they were given consent to do so, or the addresses leaked were ones from more recently.

I know a person affected that bought it aproximately 2.5 years ago; so if you bought it 3 years ago, that kind of pinpoints the beginning of the leak

Not necessarily. It may well be that the hacker could not access all the data from the database for any other (technical) reasons.

[Lucius]

Bad news from Ledger (again).

Now, we have new information to share: on December 23rd, 2020 we received a notification from our e-commerce service provider, Shopify, regarding an incident involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported customer transactional records in April and June 2020. According to Shopify, this is related to the incident reported September 2020, which concerns more than 200 merchants, but until December 21st, 2020, Shopify had not discovered that Ledger was also targeted in this attack. Shopify tells us they engaged digital forensics experts and counsel to continue their investigation on the matter and have reported the matter to law enforcement in both Canada and the USA.

Along with forensic firm Orange Cyberdefense we were able to establish that it affects approximately 292,000 customers. While the database is 93% similar to those exposed in the previous attack there were approximately 20,000 new customer records including, email, name, postal address, product(s) ordered and phone number included in this breach.

If you’re among those who slipped through for the first time, check your emails because Ledger has sent a notification to all new winners who will start receiving phishing messages and be at risk of physical assault.

[irfan_pak10]

Bad news from Ledger (again).

Now, we have new information to share: on December 23rd, 2020 we received a notification from our e-commerce service provider, Shopify, regarding an incident involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported customer transactional records in April and June 2020. According to Shopify, this is related to the incident reported September 2020, which concerns more than 200 merchants, but until December 21st, 2020, Shopify had not discovered that Ledger was also targeted in this attack. Shopify tells us they engaged digital forensics experts and counsel to continue their investigation on the matter and have reported the matter to law enforcement in both Canada and the USA.

Along with forensic firm Orange Cyberdefense we were able to establish that it affects approximately 292,000 customers. While the database is 93% similar to those exposed in the previous attack there were approximately 20,000 new customer records including, email, name, postal address, product(s) ordered and phone number included in this breach.

If you’re among those who slipped through for the first time, check your emails because Ledger has sent a notification to all new winners who will start receiving phishing messages and be at risk of physical assault.

I have received an email today, That I'm from one of those unfortunates, whose data has been leaked. 

[LoyceV]

Bad news from Ledger (again).

Can't they just send all customers a big sign to put in front of their house? "Ledger owner here!"

[Csmiami]

---

If all the spending on "security and investigations" they claim to be doing is somehow true; they'd be short for making and shipping more than 293 thousand signs....

Best that can be done right now, is wait and see what the data protection agencies have to say on this... I filed a complaint/report a couple of weeks ago

[DdmrDdmr]

<…>

After seeing the Security Notice around, I was going nuts on my threads on B&H & Local, trying to decipher if the Security Notice referenced the same leak or a different one. That should be made crystal clear on the notice, as people need to understand things the first time around, not needing to infer, guess, or require further investigations.

This does mean though, that data is treated even more poorly that one could suspect. Being Shopify their e-commerce platform partner, it turns out that, seemingly, data is held both by Shopify and Ledger (something that I have not managed to read on their website). That is gross to say the least. As a customer, you are providing (and wishing you hadn’t) data to Ledger (and any thung in the aftermaths). I doubt any purchaser was aware that data was retained by Shopify.

This is therefore now void: https://www.ledger.com/our-ecommerce-database-has-not-been-hacked

[malevolent]

This does mean though, that data is treated even more poorly that one could suspect. Being Shopify their e-commerce platform partner, it turns out that, seemingly, data is held both by Shopify and Ledger (something that I have not managed to read on their website). That is gross to say the least. As a customer, you are providing (and wishing you hadn’t) data to Ledger (and any thung in the aftermaths). I doubt any purchaser was aware that data was retained by Shopify.

Most companies tend to admit somewhere, either in their terms of service, or in their privacy policies, that the company will or reserves the right to share (usually a lot of) information relating to the customer or the customer's orders.

And Ledger is no exception:

https://shop.ledger.com/pages/privacy-policy

We may also transmit some of your data to third parties such as payment services, infrastructure, logistics, and other services providers.

We enter into contractual arrangements with these third parties to ensure that personal data they could have to process for the provision of their tasks is adequately secured and that your privacy is protected. These providers have privacy policies which you may refer to for information about how they process your information and how to exercise your data subjects’ rights as provided under Applicable Laws. All personal data processed by these third parties shall solely be used to perform the services they provide to us and for the purposes set out in this Privacy Policy.

In certain circumstances and only where required by Applicable Laws, we may disclose some of your data to competent administrative or judicial authorities or any other authorized third party.

emboldening mine

Is the buyer aware of all providers that get to access their data and possibly store them indefinitely?

[stompix]

Bad news from Ledger (again).

Oh crap, oh crap, oh please no!
I'm one of the lucky ones (!?) with the email leaked but not with the address and other details, I pray for it to stay the same!
No new email received...yet!

Checking again the spam folder, I've just got the third phishing email, the same stuff with google forms, this time they didn't even bother to write anything down just the link and that's all at least the previous ones were informing me that my wallet was deactivated!

Can't they just send all customers a big sign to put in front of their house? "Ledger owner here!"

Lots of house sellers might have to start adding a few reasons for their discounts
- ancient burial ground
- murder committed
- address leaked in ledger hack and prone to a home invasion

But this thing is so damn creepy, there is a guy in my neighborhood with the address leaked, he is living (or he had) in the block of flats exactly in front of me!

[lovesmayfamilis]

Now Ledger has big plans. To restore user confidence, Matt Johnson told what changes will occur in the near future, so that the case of data breaches will not happen again.

Delete, delete, delete
Moving forward, Ledger will delete data from its e-commerce partner as well as move customer data to a database that can’t be accessed from the internet as soon as your order is fulfilled, before deleting it as soon as they’re legally able.

The company will also be deleting names, addresses and phone numbers from confirmation emails sent to customers so that this data is not passed through third-party e-commerce email providers.

The email and social media will only be used for marketing messages and announcements, Ledger Live accounts are being set up to communicate technical and security information, seemingly to avoid instances of previous phishing scams, in which scammers encouraged Ledger users to download important security updates via genuine-looking emails.

https://www.coindesk.com/ledger-bitcoin-bounty-new-data-security-after-hack

Of course, we can say that a leak is equated with a human factor, and few people are insured against it. Here the expression "lock the barn door after stealing a horse" is very appropriate.

[DdmrDdmr]

<…>

Thanks. I was searching for the term Shopify, wanting to see if there was an explicit mention to their partner, but it seems to be camouflaged amongst the classic generic clauses.

From a conceptual point of view, there does not seem to be a reason for Shopify to retain customer data once the purchase TX has been fulfilled. After all, there seemingly is no customer record the user can go back to in order to view or edit information about his orders.

It’s not explicitly clear how the data flow works between Shopify and Ledger, although I figure that the data record to fulfil the order goes first to Shopify, and then a copy is transferred over to Ledger, in order to store and build it’s customer’s database. If Shopify acts as a mere gateway, there does not seem to be a conceptual reason for them to retain the data in this particular case.
It could nevertheless be that Ledger uses a subset of Shopify’s services and capabilities, which, for other Shopify clients (corporations), may require managing the customer database in a more perpetual way. Looking over their website, it does seem that the platform can manage customer records for their clients, since amongst the features for their platform are those to manage customer accounts and customer profiling.

Ledger may be minimizing the functionality it uses, but the workflows are bound to be subsets of Shopify’s platform, and if the platform inherently stores customers and orders, even if we as users don’t have access to such functionality, it’s probably there, subjacent, storing customer data because the platform’s functional structure and functionality requires it.

Ledger customers are certainly not aware of this, and the generic paragraphs they use may cover, but do not easily allow users to figure this is happening under the hood. Mind you, it’s not something specific to them, which is not an excuse.

Note: I’ve just increased my 24h, 48h ratios …

[Lucius]

I have received an email today, That I'm from one of those unfortunates, whose data has been leaked. 

Unlike all those data that have become publicly available, these 22 000 new ones hacked with Shopify are not, as far as I know, publicly available. Which means it all depends on the hacker, maybe they will use the database only for themselves, and maybe at some point they will decide to sell it or make it public.

Oh crap, oh crap, oh please no!
I'm one of the lucky ones (!?) with the email leaked but not with the address and other details, I pray for it to stay the same!
No new email received...yet!

Then you are really lucky if you are not among the 292 000 users who have been unlucky so far. Email spam is something you can definitely live with, but when you start getting text messages and calls on a daily basis that include threats to you and your family if you don’t hand over the seed, then things get a lot harder to bear.

This does mean though, that data is treated even more poorly that one could suspect. Being Shopify their e-commerce platform partner, it turns out that, seemingly, data is held both by Shopify and Ledger (something that I have not managed to read on their website). That is gross to say the least.

What else to say but that it is pure amateurism in collecting data and storing it. I'm just wondering (like many others), are these all the unpleasant surprises that will come from Ledger or is there something else we haven't learned yet. Either way, I will sleep much more peacefully when Ledger is no longer my primary hardware wallet.

[hilariousetc]

I have received an email today, That I'm from one of those unfortunates, whose data has been leaked.  

Unlike all those data that have become publicly available, these 22 000 new ones hacked with Shopify are not, as far as I know, publicly available. Which means it all depends on the hacker, maybe they will use the database only for themselves, and maybe at some point they will decide to sell it or make it public.

To be honest, the wise thing to do from the hacker's perspective would be to try utilise it themselves and grab what they can then I'm sure they'll sell it on to the highest bidder once they've milked it for all its worth and then they'll sell it and so on until it becomes worthless/public like the last batch did.

Oh crap, oh crap, oh please no!
I'm one of the lucky ones (!?) with the email leaked but not with the address and other details, I pray for it to stay the same!
No new email received...yet!

Then you are really lucky if you are not among the 292 000 users who have been unlucky so far. Email spam is something you can definitely live with, but when you start getting text messages and calls on a daily basis that include threats to you and your family if you don’t hand over the seed, then things get a lot harder to bear.

If your phone number is out there like this then you should just change it as it will be passed around spammers like a hot potato and will end up on all sorts of scammers and marketing lists. Probably best to change your email as well. All it does it make you an easier target if you continue to use it.

Now Ledger has big plans. To restore user confidence, Matt Johnson told what changes will occur in the near future, so that the case of data breaches will not happen again.

Delete, delete, delete
Moving forward, Ledger will delete data from its e-commerce partner as well as move customer data to a database that can’t be accessed from the internet as soon as your order is fulfilled, before deleting it as soon as they’re legally able.

The company will also be deleting names, addresses and phone numbers from confirmation emails sent to customers so that this data is not passed through third-party e-commerce email providers.

The email and social media will only be used for marketing messages and announcements, Ledger Live accounts are being set up to communicate technical and security information, seemingly to avoid instances of previous phishing scams, in which scammers encouraged Ledger users to download important security updates via genuine-looking emails.

https://www.coindesk.com/ledger-bitcoin-bounty-new-data-security-after-hack

Of course, we can say that a leak is equated with a human factor, and few people are insured against it. Here the expression "lock the barn door after stealing a horse" is very appropriate.

I think this needs to be a wake up call for people more than anything to know that you can't really trust any company with your data and to take appropriate cautions when you give away stuff like this ie don't use a phone or email that could lead to further complications. A company can have water-tight security but a rogue employee can always steal the info as happened here so no company is safe.

[m2017]

I have received an email today, That I'm from one of those unfortunates, whose data has been leaked. 

Unlike all those data that have become publicly available, these 22 000 new ones hacked with Shopify are not, as far as I know, publicly available. Which means it all depends on the hacker, maybe they will use the database only for themselves, and maybe at some point they will decide to sell it or make it public.


Then you are really lucky if you are not among the 292 000 users who have been unlucky so far. Email spam is something you can definitely live with, but when you start getting text messages and calls on a daily basis that include threats to you and your family if you don’t hand over the seed, then things get a lot harder to bear.

292 000 users? Isn't it too little for a company that has sold tens of millions of devices?

This is a terrible oversight and negligence for Ledger, a loss of reputation and trust.

I hope that this negative experience will change the attitude of companies that process personal data towards their users and information about them for the better.

I also think that this case is a vivid example of the fact that you cann't be 100% trusted by companies and you need to take care of your privacy yourself.

[Lucius]

292 000 users? Isn't it too little for a company that has sold tens of millions of devices?

Where did you get that information? According to what Ledger publicly acknowledged last year, there are just over 2 million devices sold in total. It would be interesting to know how many unique customers there are, as many have bought more than 1 device over the years - although the Model S is the most popular, there were models before it - Ledger HW 2014

The most popular hardware wallets: more than 2 millions units sold all over the world

[Marvelman]

This is a terrible oversight and negligence for Ledger, a loss of reputation and trust.

Yes. What Ledger did was needlessly damage their customers, whether intentional or otherwise. Yet, Ledger doesn't make any attempt to refund the money, although it seems logical to assume that such an action would have made things better.

I also think that this case is a vivid example of the fact that you cann't be 100% trusted by companies and you need to take care of your privacy yourself.

Exactly. Dont give out any information that could be used to identify you to people. If you are a legal adult, there is no law against being anonymous.

[bob123]

What Ledger did was needlessly damage their customers, whether intentional or otherwise.

I heavily doubt they intentionally damaged their own reputation for no good reason other than hurting themselves.
This sounds like a obscure conspiracy theory to me.

As if they have planned to hurt themselves and lots of their customer..

Yet, Ledger doesn't make any attempt to refund the money, although it seems logical to assume that such an action would have made things better.

It seems logical?
Do you really expect a company to pay back the money it got for a completely functional product? Because there was a database breach which does not affect the product at all?

This is a delusional thought.

[Marvelman]

It seems logical?
Do you really expect a company to pay back the money it got for a completely functional product? Because there was a database breach which does not affect the product at all?

This is a delusional thought.

Delusional thought? I do not think so. Obviously you are not familiar with the GDPR regulations of the European Union.

The GDPR gives you a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. ... You do not have to make a court claim to obtain compensation – the organisation may simply agree to pay it to you.

source: https://ico.org.uk/

You can claim compensation if a company or organisation hasn’t respected the data protection law and you’ve suffered material damages (for example financial loss) or non-material damages (for example distress or loss of reputation). You can make a claim to the company or organisation concerned or before the national courts. You can claim compensation before the courts of the EU Member State where the controller or processor is established. Alternatively, such proceedings may be brought before the courts of the EU Member State of your habitual residence.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/can-i-claim-compensation_en

[LoyceV]

GDPR regulations of the European Union.

The GDPR gives you a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. ... You do not have to make a court claim to obtain compensation – the organisation may simply agree to pay it to you.

Any damage caused has no relation to the price of the product they sold. It would be interesting to see if similar cases have been won. I found this:

In line with Article 6:106 (1)(b) Dutch Civil Code, the burden of proof is on the claimant to demonstrate it suffered damages, which can be particularly challenging in privacy cases.

In this case, a municipality shared personal data with other municipalities, which makes the burden of proof very difficult: there is no direct damage. In Ledger's case, if their recklessness for instance forces you to move due to threats, the burden of proof becomes much easier. The damage will be much higher than the cost of their USB wallet.

[Marvelman]

No, there is no direct damage in Ledger's case, but one may argue for non-material damages (for example distress). And I agree that any damage incurred is not directly related to the price of the product.

I think this story regarding Ledger is far from over.

[Csmiami]

----

This is a great thing to know, but there is a big BUT.

To put some context into it, I did file a complaint to my state data protection agency on the 7th (still no answer) and as I was browsing their site, I found the following regarding things they cannot do:

If you wish to request compensation for how your private data has been handled, you'll have to go to trial/tribunals.

I strongly suspect that the rest of the European data protection agencies will have if not the same, very similar procedures. If we (or anyone) wants a compensation, they'll have to fight for it either on their own, or as a batch of angry customers in front of a judge. However, I do believe that if a data protection agency deems the data treatment incorrect, it'd be very very very (extremely) hard for Ledger to reason otherwise should a a trial arrive

[hilariousetc]

What Ledger did was needlessly damage their customers, whether intentional or otherwise.

I heavily doubt they intentionally damaged their own reputation for no good reason other than hurting themselves.
This sounds like a obscure conspiracy theory to me.

It sounds like a shitpost to me. This is probably the worst thing that could happen to Ledger as a company. They'll lose millions in business, will probably face at least some lawsuits whether they'll be successful or not and a lot of confidence in them will be lost. If they could have avoided this they would have.

It seems logical?
Do you really expect a company to pay back the money it got for a completely functional product? Because there was a database breach which does not affect the product at all?

This is a delusional thought.

Delusional thought? I do not think so. Obviously you are not familiar with the GDPR regulations of the European Union.

The GDPR gives you a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. ... You do not have to make a court claim to obtain compensation – the organisation may simply agree to pay it to you.

source: https://ico.org.uk/

You can claim compensation if a company or organisation hasn’t respected the data protection law and you’ve suffered material damages (for example financial loss) or non-material damages (for example distress or loss of reputation). You can make a claim to the company or organisation concerned or before the national courts. You can claim compensation before the courts of the EU Member State where the controller or processor is established. Alternatively, such proceedings may be brought before the courts of the EU Member State of your habitual residence.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/can-i-claim-compensation_en

This would be a nightmare to enforce and fraud would be widespread. How would you even prove you were effected? All you would need to do was send your coins to another address and then complain you've been hacked. There's no real way to verify it. At the end of the day it was still the users that sent the money elsewhere. When this sort of fraud happens with fiat banks if the owner of the account willingly sent the funds in most cases they bank won't refund them.

[Csmiami]

This would be a nightmare to enforce and fraud would be widespread. How would you even prove you were effected? All you would need to do was send your coins to another address and then complain you've been hacked. There's no real way to verify it. At the end of the day it was still the users that sent the money elsewhere. When this sort of fraud happens with fiat banks if the owner of the account willingly sent the funds in most cases they bank won't refund them.

That goes for material damages, but this case is not really about them (or at least if you had some common sense). Honestly, the first days the database was made public I had very stressfull evenings, overthinking what could happen next, knowing my data was out there and directly related to crypto. The first people reporting some (pretty lame) extortion attempts didn't help with the overthinking; although I knew that even if I received any email of that type I'd probably just laugh and tell them to change from legacy to segwit . Now that some time has passed, I am indeed more calmed, but the pshychological effect of having everything out in the open is still there, and if there was any reason to actually ask compensation for, I think that should be it. So non-material damages, although harder to prove, are our best option against the company

Small disclaimer: Although I'd love to see some kind of compensation, I haven't really filed a complaint because of that, but because I want to see ledger burn; paying a couple of hefty fines would indeed make me a little bit happier. It's not the first time I've said I'm not after the money here

[Marvelman]

As Csmiami pointed out, I wasn't really talking about material, but non-material damages. And it's not that hard to prove if I start getting a bunch of threatening messages in my email inbox or on my phone number.
Of course, some will say, change your email address and your phone number, or even your home address. But why should we bear all the consequences and not those who are directly responsible?

I didn't actually think Ledger did this on purpose. I said that part wrong. But I do believe they were aware of the incident, but they deliberately tried to cover it up and downplay it until the hacked data surfaced in public.

[stompix]

Yet, Ledger doesn't make any attempt to refund the money, although it seems logical to assume that such an action would have made things better.

Better? I doubt it!
People who are pissed about this leak are the ones afraid of their safety, and I find it hard to believe 100$ would make things better unless that's the maximum point at which you value your life. Refund everybody, they will claim bankruptcy, and what has been fixed? Nothing!
You get a free product that is no longer covered by any warranty and that's all.

Delusional thought? I do not think so. Obviously you are not familiar with the GDPR regulations of the European Union.
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/can-i-claim-compensation_en

You missed one point, first, someone will have to prove in court that Ledger did not take all required actions in order to protect the data, if Ledger is not found guilty of that in court then all your claims against them will be void.

I didn't actually think Ledger did this on purpose. I said that part wrong.

Then you don't have a case.

But I do believe they were aware of the incident, but they deliberately tried to cover it up and downplay it until the hacked data surfaced in public.

Now, if you really are keen on making ledger pay there is a different article on which you can make claims, but again this is way harder to prove in court is about informing the affected party of the security breach without delay, thing Ledger hasn't but here you will have to prove again that without the delay you could have taken measures to avoid ..whatever your claim will be.

As I see the situation now, Ledger has high chances of getting away with it, probably only a few of the customers will go to court as there are a lot of things stopping some to do so, besides being in a foreign country, not wanting to lose time and money in legal battles there is also something else. Some will avoid coming out in public, I know for certain that right now at least a few are more concerned about the IRS or its national counterpart than hackers.
That being said I think Ledger will be punished by customers more than the court, right now for me buying any type of hardware wallet is out of the question, I know that I won't be twice lucky so I'm going DIY from now on.

[Daltonik]

A Ledger user lost $27,000 in bitcoins by swapping a SIM card. The californian received a message from the mobile operator T-Mobile about the freezing of the account after unsuccessful attempts to change the password. The information was confirmed by the specified phone number.

The user received a new password to the email linked to the Ledger cryptocurrency wallet. Later, he received a call allegedly from the developer company and was informed about the hacking of the storage.
The caller requested a password and account identification numbers. A resident of California passed the data and after checking the wallet found the missing bitcoins.

https://www.ktvu.com/news/daly-city-man-scammed-out-of-27000-in-bitcoin

[Csmiami]

The caller requested a password and account identification numbers.

Why do I have the feeling this refers to the seed? Can't really think of any way of loosing the funds on a physicall device just because of a SIM swapping....

[Rizzrack]

Why do I have the feeling this refers to the seed? Can't really think of way of loosing the funds on a physicall device just because of a SIM swapping....

This is what it sounds like. If he "confirmed" the passphrase with the "operator" than it's 100% on him. These thieves can be very tricky but this should be common sense.
I guess this in one of the reasons the masses are reluctant to use crypto, because there is no 0800 number to call and get them back if you do some dumb shit. Both privacy and comfort come with their price tags.
Look on the bright side. In a parallel universe the "Facebook hardware wallet" might have the seed in plain text. At least it's not the case here.

[stompix]

I don't understand what sim swap happened nor how you could blame anybody but the victim in this case.

as-yet-unnamed, called Daly City police on January 14 to report that he received a text from a person purporting to represent telecommunications provider T-Mobile, who said his account was frozen after multiple attempts were made to change his password.

This ain't swim swapping.
If a sim swap would have happened his original sim would have been deactivated by the telecom company and he would have not received any call.
Probably the first one is a different scammer.

He later received a call from a blocked number. The caller identified himself as an operator for Ledger, the crypto wallet hardware company that held the man’s Bitcoin, informing him that his account had been compromised. The caller extracted his passcode and anonymous account identification numbers.

So an unknown guy called him, told him he is a Ledger operator, and got probably the seed from him.
He lost $27k but this was totally his fault.

[Lucius]

So an unknown guy called him, told him he is a Ledger operator, and got probably the seed from him.

Extremely naive and hard to imagine for anyone with at least a little common sense in their head. That user never realized that Ledger doesn't have phone customer support, and that seed is something not shared with strangers. If they had asked him to send them his bank card with a PIN, maybe some jewelry and cash - all of course nicely packaged and with express mail, they might have profited even more

[LoyceV]

So an unknown guy called him, told him he is a Ledger operator, and got probably the seed from him.
He lost $27k but this was totally his fault.

It sounds like they only got his phone number from the Ledger hack. Other than that, it's a "standard" phone scam where the victim gives away access to his money.
Ledger just made it a lot easier by providing a list of Bitcoin users. For "standard" bank phishing calls (or fake tech support calls), most phone numbers can be a potential victim as most people have a bank account or a Windows computer. For crypto that percentage is a lot lower, and multiplied with the percentage of gullible people odds are even worse for the scammer. I can imagine a 1 in 100,000 successful phishing phone call isn't worth the effort, but if Ledger's data breach turned it into 1 in 100(0), it becomes (very) profitable. I'm just speculating on the numbers here of course.

[Daltonik]

A class action lawsuit has been filed against crypto wallet firm Ledger, Shopify for a 2020 customer data breach as reported by the Block   https://www.theblockcrypto.com/post/100860/ledger-shopify-class-action-lawsuit-filed  

According to lawyers, Ledger, as part of its obligations to customers, should have made sure the Shopify service was safe. The companies will have to explain why they delayed in notifying users of the problem. The firm estimates the damages at more than $5 million

[LoyceV]

A class action lawsuit has been filed against crypto wallet firm Ledger, Shopify for a 2020 customer data breach as reported by the Block   https://www.theblockcrypto.com/post/100860/ledger-shopify-class-action-lawsuit-filed  

the complaint references only two Ledger users directly, who together lost 4.2 BTC, 11 ETH and 150,000 XLM to phishing attacks. At today's prices, those holdings add up to $340,000

This is a bit far-fetched in my opinion. The only way for phishing to work, is if the user did something very dumb. A targeted $5 wrench attack would make it easier to blame Ledger.

The firm estimates the damages at more than $5 million

That's less than $20 per user who's data they leaked. Enough to buy their own wrench to defend themselves?

[hilariousetc]

A class action lawsuit has been filed against crypto wallet firm Ledger, Shopify for a 2020 customer data breach as reported by the Block   https://www.theblockcrypto.com/post/100860/ledger-shopify-class-action-lawsuit-filed  

According to lawyers, Ledger, as part of its obligations to customers, should have made sure the Shopify service was safe. The companies will have to explain why they delayed in notifying users of the problem. The firm estimates the damages at more than $5 million

I was wondering if anyone was going to start a lawsuit over this. Not sure how successful it will be and it's obviously mostly shopify's fault than ledger's but maybe it'll set a new precedent if it is successful, but one thing I do hope is that it calls for better storage of customers data. If they can't keep this safe then there should be consequences. I already hate giving out scans of stuff signing up to exchanges especially when I know it can end up leaked on the web and can lead to doxing of users here. If these companies cant be trusted to keep things watertight then they should probably lose their licence or companies should withdraw from using them.  I tried signing up to a crypto platform recently and not only did they want scans of my stuff but a selfie with my ID. Fuck that. They don't even ask for that when you open up a bank account here or on some other investment platforms I've used so no idea why this is necessary and I don't fancy a picture of me with my ID potentially floating around the darknet. The irony is once this sort of info gets leaked it can and will likely be used for malicious stuff so it kinda becomes pointless especially when people start committing crimes in your name with your ID and docs. I wonder how they even store this stuff. Once received do they mark or brand it somehow so nobody else could use it if it ever was leaked somehow? It needs to be better encrypted at least. Once it's verified nobody should be able to see it other than maybe law enforcement if they have a warrant. I saw that facebook had a huge breach leaked onto the clearnet recently including Zuckerbergs personal phone number. If companies can't be guaranteed to store this stuff safely then they shouldn't be allowed to hold it in the first place.

[LeGaulois]

Boeing 737 Max crashed several times due to malfunction. Who is to blame? The manufacturer Boeing, or the airlines that used this kind of aircraft.

The company Ledger followed in a timely manner the law regarding a data breach within RGPD. They are in the rules.
Funny to see how people are upset and now pay lawyers, knowing they did nothing when they had the opportunity to ask to Ledger to delete personal information obtained about them.

But now they all are shouting 

[stompix]

Forget about wrench, i doubt $20 is enough to change phone number (on some parts of the world) and email address (if you use paid ones).
And talking about physical threat, let's hope the theft doesn't use gun or other more dangerous weapon

A phone number change is actually free of charge with my carrier, but the troubles of notifying all your contacts, if you used that phone for business changing it will result in far more material damages, same for the email, but at least that is something I'm not concerned of, I've received some phishing emails but things have come to a stop.
The home address is the troublesome part, you never know what stupid ideas might run through some desperate people's brains especially in these times when a lot don't have money and all over the news they keep pushing the narrative on how a few BTC can set you for life.

I tried signing up to a crypto platform recently and not only did they want scans of my stuff but a selfie with my ID. Fuck that. They don't even ask for that when you open up a bank account here or on some other investment platforms I've used so no idea why this is necessary and I don't fancy a picture of me with my ID potentially floating around the darknet.

I think this has got out of hand with this whole verification stuff, I've too opened betting accounts and they never asked for a copy of my id, I've been with Betfair for 7 years and all they've asked was a bank statement when I chose to withdraw money via bank and no to the card with which I deposited. That's was all, and now some shitty exchange wants a picture of my id, a selfie with the id and the new step is to activate your camera and do a video of yourself, looking right and looking left and ...clicking the x button and saying fy and your platform!!

And the most annoying fact is that they don't even care how real those documents are, nobody actually checks them, and even if they would want to most of them have no real legal way of doing so.

[dkbit98]

Better start preparing your backup phrases to be imported in some hardware wallet from other manufacturers guys,
and make room in your boxes with junk hardware devices and old mp3 players, because if ledger loses this lawsuit it is going to be Au revoir for them.
That is what you get when you don't respect privacy and when you have bad communication with your customers related with multiple leaks, but that is not all
and I am hearing some rumors that new lawsuits may be coming soon from Europe so stay tuned and follow the news.

Look at the bright side of things, we can still use ledger as two factor authentication device with Fido U2F.

[LoyceV]

Look at the bright side of things, we can still use ledger as two factor authentication device with Fido U2F.

You don't need "Ledger the company" to use their hardware (for instance in combination with Electrum).

[dkbit98]

You don't need "Ledger the company" to use their hardware (for instance in combination with Electrum).

But you do need them to update and fix bugs in their closed source software, and I think you know what happened with ledgerHW1 and ledger blue

[malevolent]

Funny to see how people are upset and now pay lawyers, knowing they did nothing when they had the opportunity to ask to Ledger to delete personal information obtained about them.

Ledger was the one asking for and needlessly storing/transmitting peoples' info, so it was on them to keep it secure if they didn't want to delete it.