Ledger database leak --> Phishing

[hilariousetc]

They're a French company, so it falls under the GDPR (General Data Protection Regulation). However, the implementation may vary per member state. In my country a company could ask to provide evidence you are who you say you are before removing your data, and in practice that often comes down to sending them a copy of your legal ID.
That's usually not something you want to give to a company you don't trust with personal data.

That actually exists? And even if you comply, they might not even delete/ trash the documentation you give...

Well I think they legally have to comply if they're in the EU, but yeah, there's no guarantees the details you send them won't be leaked somehow either.

I'm surprised your data wasn't leaked but you still got the email; that could mean that ledger is playing it safe this time and sending that generic email to every user that ever bought from them, "just to be safe" (but again, speculating)

My email is on the marketing list. Surprised but also glad it isn't on the other one.

Everybody is talking about this Ledger leak on forum, on social media and on youtube
What do you think guys, what would Satoshi Nakamoto do? Would Satoshi buy Ledger wallet and used his real name and address when we know how important privacy was for him?
We are (not) all Satoshi 

Well I'm sure he's bought stuff online before but it's irrelevant if you don't know what his name is. His real world details could be on that list for all we know. Or maybe he's a total ghost after creating bitcoin and doesn't do anything online that could compromise his identity. He could just live his life as normal though as he could just be a random unexciting Joe Bloggs to everyone that knows him.

[1714859266]

1714859266

[1714859266]

1714859266

[1714859266]

1714859266

[1714859266]

1714859266

[1714859266]

1714859266

[1714859266]

1714859266

[Daltonik]

Ledger-leak. The case becomes life threatening for the owners.
The owner of the Ledger wallet was called by a man who demanded 10XMR, promising otherwise to come to his home by midnight, steal him, beat all his relatives to death.
The man who received the call turned to law enforcement agencies. The police sent a car for security. https://www.reddit.com/r/ledgerwalletleak/comments/ki1nsz/received_phone_call_threatening_kidnapping_and/  https://twitter.com/RainDogDance/status/1341373495964479489

 

[UserU]

Here it comes, phishing attack.

[Poker Player]

I received no response from them regarding my request to have my data deleted. I just put them on junk mail list. All ledger emails no matter if they are legit or not and I have uninstalled Ledger Live. I don't know if this is too paranoid but I don't want them knowing how much I have (which is not a lot btw). I just don't want to have to deal with them any more.

[FIFA worldcup]

Ledger-leak. The case becomes life threatening for the owners.

Yes, i have also heard few people complaining this because scammers are now threating people and asking for demands not complying may result in raid to their houses. The scammers know who have bitcoins and they are exploiting this. 

I received no response from them regarding my request to have my data deleted. I just put them on junk mail list. All ledger emails no matter if they are legit or not and I have uninstalled Ledger Live. I don't know if this is too paranoid but I don't want them knowing how much I have (which is not a lot btw). I just don't want to have to deal with them any more.

Are you asking them to remove your data from ledger ? This is no point of doing this now because your data has been comprised and is with the scammers.

 

[Pmalek]

I received no response from them regarding my request to have my data deleted.

They are not going to remove your data. French and EU laws force them to keep certain records for up to 10 years. At least that is what they say and write in their Privacy Policy.

I don't know if this is too paranoid but I don't want them knowing how much I have (which is not a lot btw). I just don't want to have to deal with them any more.

It is paranoid. If you have been using Ledger Live for years and you think they have an overview of what assets you have, how will it help uninstalling the software now after already using it? If you are getting rid of it because of its lack of quality, that's understandable.

[GrosWesh]

The scammers know who have bitcoins and they are exploiting this.  

I allow myself to correct: 'they know who is more likely owning btc': you may have been disinterested in btc since a long time, have bought a few sats to try or even purchased one hardware wallet to offer ... Not sure that knocking on each door is interesting ...

[lovesmayfamilis]

There are already victims whose data has been leaked to the network. Recently it was reported about a user who had $2,000 stolen. As soon as he learned about the hack, he decided to change the password on the device, and then he received a notification that a new device was added to his account with two-factor authentication.
You can read it in full at the link
https://www.coindesk.com/ledger-leak-sim-swap-home-invasion-threats

https://twitter.com/jimbochewdip/status/1341181907707572230?s=20

[Rizzrack]

Ironically the best place to store crypto for Ledger owners is the Ledger itself.
I feel for these people that suffered losses because of the leak but some precautions were necessary since day 1. Like remove any 2fa with phone number, do not leave the funds on exchange and lay low. SIM swapping would have been the hacker's first choice. Guess the current bull trend is not helping in that regard.
Stay safe and be smart!
By the looks of it this type of db breach will be more and more of an issue going forward.

[Lucius]

lovesmayfamilis, as far as SIM swaps are concerned, the entire responsibility in this process is on the mobile providers who generally behave very irresponsibly and do great harm to their users. In some countries, it is enough to have exactly this data that was stolen from Ledger and call the mobile provider and request that the number be redirected to the new SIM.

I personally had the experience that I had to change my SIM card and I went to the physical branch of my mobile operator with ID and old SIM card, and all they asked me for was a mobile phone number - I got a new SIM in less than 1 minute.

Therefore, for all who use 2FA via their mobile number, it is necessary to change the number as soon as possible - and until then, if possible, turn off 2FA because it is a backdoor that will be used by many who have bad intentions.

[LoyceV]

Therefore, for all who use 2FA via their mobile number, it is necessary to change the number as soon as possible - and until then, if possible, turn off 2FA because it is a backdoor that will be used by many who have bad intentions.

2FA by phone number is as bad as answering "secret questions" to regain access. A couple months ago I clicked "forgot password" in Gmail, and I was surprised how easy it is! That's great for large corporations, because they must have millions of users per month who need to recover their password, and an automated system makes that very cheap to do. But it's terrible for security, so I disabled as much of it as I could. No more recovery emails, and no connected phone number.
Unfortunately, more and more websites demand 2FA. I hate it! It's painstakingly slow to "quickly" login, and if anything it's less secure than just my password. Google Authenticator seems more secure (unless you use it to login on the same phone), but it doesn't provide a recovery phrase, so if your phone breaks, you'll have to go through support of all connected websites to recover your account.

[GrosWesh]

Google Authenticator seems more secure (unless you use it to login on the same phone), but it doesn't provide a recovery phrase, so if your phone breaks, you'll have to go through support of all connected websites to recover your account.

That's why it is so important to back up (outside the computer) either the recovery code given on 2fa creation or the associated qr code. 

[malevolent]

fortunately you seem not to be on 'full data' list (name+add etc...). A second db provides tons of mails that were linked to ledger in another way (mostly newsletter).

Yeah, maybe, but I have ordered from them before so not sure why they would only have my email.

How long ago did you buy them? Somewhere on reddit I've seen Ledger claiming to have >2 million customers. They could have lied about the number but I wonder if they kept the addresses for as long as the warranty lasted which differs from jurisdiction to jurisdiction (the legal minimum is usually at least 2 years in the EU but often less than that elsewhere).

But that e-mail address should only be visible to the admin/s and maybe to the mods if that rule applies when reporting post to moderator (although I think you once mentioned that this is not the case).

I can confirm that that is no longer the case.

I don't think staff could ever see their emails contrary to what the message said (I could be wrong but I don't remember ever seeing them), but yeah I'm referring to the forum database leak. It would be very easy to match those emails to the ledger ones and you would then have someone's full dox. If you knew they were a member that likely had or does have a bit of money then they would probably be easy targets.

All mods also used to get reports via email and along with that the reporter's email address would be included. I don't know if notifications settings changes affected that but afaik everyone or almost everyone used to get these emails.

They are not going to remove your data. French and EU laws force them to keep certain records for up to 10 years. At least that is what they say and write in their Privacy Policy.

Maybe French laws, but it's not EU laws that would force them to keep records for that long. It wouldn't hurt if they bothered to specify what they mean by "some transactional data". Satoshi Labs (Trezor) claims to sensitive delete user data after 90 days, and they're also in the EU.

[hilariousetc]

Unfortunately, more and more websites demand 2FA. I hate it! It's painstakingly slow to "quickly" login, and if anything it's less secure than just my password. Google Authenticator seems more secure (unless you use it to login on the same phone), but it doesn't provide a recovery phrase, so if your phone breaks, you'll have to go through support of all connected websites to recover your account.

If support easily deactivates 2fa then it's mostly useless anyway. 2 factor apps should probably require finger print unlocks. You're not going to forget your fingerprint and someone needs access to your device for that. Sadly, there's always going to be times when 2fs will need to be reset or removed and that's where the weakness is.

There are already victims whose data has been leaked to the network. Recently it was reported about a user who had $2,000 stolen. As soon as he learned about the hack, he decided to change the password on the device, and then he received a notification that a new device was added to his account with two-factor authentication.
You can read it in full at the link
https://www.coindesk.com/ledger-leak-sim-swap-home-invasion-threats

https://twitter.com/jimbochewdip/status/1341181907707572230?s=20

I wouldn't believe everything anonymous twitter accounts say. I'm not saying this hasn't happened and we shouldn't downplay the threat of it but I'm sure a lot of accounts will just be trolling or spreading fud and sim swapping is still quite rare. Phone providers probably should make the process more secure though and there must be ways that they can prevent the wrong person from getting the sims.

fortunately you seem not to be on 'full data' list (name+add etc...). A second db provides tons of mails that were linked to ledger in another way (mostly newsletter).

Yeah, maybe, but I have ordered from them before so not sure why they would only have my email.

How long ago did you buy them? Somewhere on reddit I've seen Ledger claiming to have >2 million customers. They could have lied about the number but I wonder if they kept the addresses for as long as the warranty lasted which differs from jurisdiction to jurisdiction (the legal minimum is usually at least 2 years in the EU but often less than that elsewhere).

I honestly can't remember but pretty sure it was more than 3 years ago. Maybe they only saved the address they were given consent to do so, or the addresses leaked were ones from more recently.

I don't think staff could ever see their emails contrary to what the message said (I could be wrong but I don't remember ever seeing them), but yeah I'm referring to the forum database leak. It would be very easy to match those emails to the ledger ones and you would then have someone's full dox. If you knew they were a member that likely had or does have a bit of money then they would probably be easy targets.

All mods also used to get reports via email and along with that the reporter's email address would be included. I don't know if notifications settings changes affected that but afaik everyone or almost everyone used to get these emails.

I think I had those notifications turned off, or at the least they were blocked by my email provider so I don't think I ever got them.

[Csmiami]

I honestly can't remember but pretty sure it was more than 3 years ago. Maybe they only saved the address they were given consent to do so, or the addresses leaked were ones from more recently.

I know a person affected that bought it aproximately 2.5 years ago; so if you bought it 3 years ago, that kind of pinpoints the beginning of the leak

[Marvelman]

I honestly can't remember but pretty sure it was more than 3 years ago. Maybe they only saved the address they were given consent to do so, or the addresses leaked were ones from more recently.

I know a person affected that bought it aproximately 2.5 years ago; so if you bought it 3 years ago, that kind of pinpoints the beginning of the leak

Not necessarily. It may well be that the hacker could not access all the data from the database for any other (technical) reasons.

[Lucius]

Bad news from Ledger (again).

Now, we have new information to share: on December 23rd, 2020 we received a notification from our e-commerce service provider, Shopify, regarding an incident involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported customer transactional records in April and June 2020. According to Shopify, this is related to the incident reported September 2020, which concerns more than 200 merchants, but until December 21st, 2020, Shopify had not discovered that Ledger was also targeted in this attack. Shopify tells us they engaged digital forensics experts and counsel to continue their investigation on the matter and have reported the matter to law enforcement in both Canada and the USA.

Along with forensic firm Orange Cyberdefense we were able to establish that it affects approximately 292,000 customers. While the database is 93% similar to those exposed in the previous attack there were approximately 20,000 new customer records including, email, name, postal address, product(s) ordered and phone number included in this breach.

If you’re among those who slipped through for the first time, check your emails because Ledger has sent a notification to all new winners who will start receiving phishing messages and be at risk of physical assault.

[irfan_pak10]

Bad news from Ledger (again).

Now, we have new information to share: on December 23rd, 2020 we received a notification from our e-commerce service provider, Shopify, regarding an incident involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported customer transactional records in April and June 2020. According to Shopify, this is related to the incident reported September 2020, which concerns more than 200 merchants, but until December 21st, 2020, Shopify had not discovered that Ledger was also targeted in this attack. Shopify tells us they engaged digital forensics experts and counsel to continue their investigation on the matter and have reported the matter to law enforcement in both Canada and the USA.

Along with forensic firm Orange Cyberdefense we were able to establish that it affects approximately 292,000 customers. While the database is 93% similar to those exposed in the previous attack there were approximately 20,000 new customer records including, email, name, postal address, product(s) ordered and phone number included in this breach.

If you’re among those who slipped through for the first time, check your emails because Ledger has sent a notification to all new winners who will start receiving phishing messages and be at risk of physical assault.

I have received an email today, That I'm from one of those unfortunates, whose data has been leaked. 

[LoyceV]

Bad news from Ledger (again).

Can't they just send all customers a big sign to put in front of their house? "Ledger owner here!"

[Csmiami]

---

If all the spending on "security and investigations" they claim to be doing is somehow true; they'd be short for making and shipping more than 293 thousand signs....

Best that can be done right now, is wait and see what the data protection agencies have to say on this... I filed a complaint/report a couple of weeks ago