Ledger database leak --> Phishing

[UserU]

I don't get why a forum should warn its user about phishing mails from a completely different company.
In fact, it could even lead to a perceived security, in times where there is no such warning. But those phishing mails are still being sent. 24 hours a day, 7 days a week and 52 weeks a year.

Fair point.

Well I guess that being a Bitcoin-centric forum, surely there are some users that own Ledgers so it's still a piece of useful news that could come in handy.

[1714148403]

1714148403

[1714148403]

1714148403

[Poker Player]

I got one and it does look very convincing if you don't pay attention.

Indeed.

I've just received two, identically the same. I don't know why they have sent me two. But I've checked to see what was happening and I've realized that the phishing ones come from support@ledger.cam while the one I got warning me of the phishing scam attempts came from noreply@ledger.com.

I just received another such email in my inbox, even though I reported that address as phishing. They are good. The problem is, now that they have our email addresses, they are not going to stop.

If I buy another hard wallet, I will buy Trezor.

[GrosWesh]

I just received another such email in my inbox, even though I reported that address as phishing. They are good. The problem is, now that they have our email addresses, they are not going to stop.

If I buy another hard wallet, I will buy Trezor.

They are patient and vicious: the hack took place at the end of July and they waited several months before going on the offensive.

I received 3 * 2 mails (yes in duplicate each time) With variations.

I have been receiving messages on my smartphone since a few days.



Like you wrote, it's not about to stop  . (In addition, when it no longer traps many people, the data can be sold on the darknet..)

[hilariousetc]

I got one and it does look very convincing if you don't pay attention.

Indeed.

I've just received two, identically the same. I don't know why they have sent me two. But I've checked to see what was happening and I've realized that the phishing ones come from support@ledger.cam while the one I got warning me of the phishing scam attempts came from noreply@ledger.com.

I just received another such email in my inbox, even though I reported that address as phishing. They are good. The problem is, now that they have our email addresses, they are not going to stop.

If I buy another hard wallet, I will buy Trezor.

Well trezor could be hacked too. It's probably a good idea to use multiple email addresses and keep one for personal stuff and have others for everything else to minimise exposure. Any company can suffer hacks and data breaches though.

I just received another such email in my inbox, even though I reported that address as phishing. They are good. The problem is, now that they have our email addresses, they are not going to stop.

If I buy another hard wallet, I will buy Trezor.

They are patient and vicious: the hack took place at the end of July and they waited several months before going on the offensive.

They might have just been waiting for the highest bidder. The trouble is once the data is out there it goes exponential as the people who bought it will sell it onto someone else and so on and it gets cheaper and cheaper every time until it just becomes public data at some point.

[Lucius]

I received 3 * 2 mails (yes in duplicate each time) With variations.
I have been receiving messages on my smartphone since a few days.

I haven't received any phishing e-mail yet, but you say here that you received messages on your smartphone as well, do you mean text messages? I know our phone numbers have also leaked, and that somehow seems even more dangerous to me than e-mails. In addition to using SMS, there is the possibility of fake calls that will be presented as fake Ledger support, not to mention that everyone should be careful about SIM swap, so it is not smart to use compromised phone numbers for 2FA.

[Pmalek]

@Lucius
At the moment it is difficult to say how many phone numbers were leaked. Ledger initially claimed it was only 9.500 users who had data, such as full name, address, and phone numbers leaked. If I consider their most recent behavior and what crap they were focused on when they should have handled security concerns, I can't really say that I trust what they say is true.

Maybe you saw Csmiami-s post from a few days ago. Ledger stated they contacted each of the 9.500 users who had all their personal data leaked. Csmiami received a fake SMS message, but he never received that personalized email that Ledger promised they would send their users to warn them.

That could mean that they forgot to send him an email, or the compromise is much bigger than what they initially thought. He could also be lying (which I don't think he is) or he forgot he received the initial email. Or it could mean that Ledger is lying or they don't know the extent of the hack.

This was Csmiami-s post:

Surprise surprise; I've checked back all the emails Ledger sent me around that time, and besides the general email (saying the same that the blog entry says), I did not receive any "dedicated email", but what I have received is a SMS addressing me by the name I provided to the company at the time I made my only purchase to them. This leads me to believe that I was between those alleged 9.500 users, but was never notified.

[Csmiami]

As I've been mentioned here, I'd like to correct a small misconception I've read on the thread:

The hack didn't take place in July; it was detected in July, and no report has been published saying when thta did happen, so one can only imagine how many data they've been able to steal over the...months? years?

Apart from that, I contacted Ledger to double check (I mean, it was obvious but still) whther the SMS I received was fake or not; and they confirmed it was fake; but did mention nothing about me being part of those alleged 9500 people. The rest of the reply was a copy paste BS about opsec. And I know it was a copy-paste because I've mentioned the word SMS 3 times in my original email, and they responded with a "the email you received...."

Hope this couple of clarifications make you think a bit...

[GrosWesh]

I received 3 * 2 mails (yes in duplicate each time) With variations.
I have been receiving messages on my smartphone since a few days.

I haven't received any phishing e-mail yet, but you say here that you received messages on your smartphone as well, do you mean text messages? I know our phone numbers have also leaked, and that somehow seems even more dangerous to me than e-mails. In addition to using SMS, there is the possibility of fake calls that will be presented as fake Ledger support, not to mention that everyone should be careful about SIM swap, so it is not smart to use compromised phone numbers for 2FA.

Yep i mean Sms.

In this message, i was advised to connect to their site at the following address :



I entered this address on a pc and here is the result 




Regarding fake calls from 'Ledger' I cannot be trapped since i decided not to use my ledger anymore. I'm very angry with my Nanox but that's another whole subject (access problems 'Failed to sign with Ledger device: U2F TIMEOUT').


And yes unfortunately, the risk of sim swapping is increased in this case.

As I've been mentioned here, I'd like to correct a small misconception I've read on the thread:

The hack didn't take place in July; it was detected in July, and no report has been published saying when thta did happen, so one can only imagine how many data they've been able to steal over the...months? years?

Apart from that, I contacted Ledger to double check (I mean, it was obvious but still) whther the SMS I received was fake or not; and they confirmed it was fake; but did mention nothing about me being part of those alleged 9500 people. The rest of the reply was a copy paste BS about opsec. And I know it was a copy-paste because I've mentioned the word SMS 3 times in my original email, and they responded with a "the email you received...."

Hope this couple of clarifications make you think a bit...

So true !

[Daltonik]

Meanwhile, according to the telegram channel @Goldfoundinshit TM, funds stolen from the owners of the Ledger wallet have started to move.
From the wallet address bc1q9g52wp96ndzma850jl2ncummwsxzrj0alwd6js where there were 107 BTC scammers brought bitcoins to 2 addresses:

bc1qrzpl4y8qvpngkfqdh9apjs8maajp4fvkzk3exa - 51.9 BTC
 bc1qr93x4pwnwk9cqtp8jj0myqkwrudh9a0acjqxjl - 55.47 BTC

The screenshot shows a graphic image of the movement of funds as a result of a phishing attack on wallet owners, where the victims ' transactions to the phishing address are represented as rays, and the unspent outputs are represented as cubes.

[GrosWesh]

I'm posting here again because there is something new and unfortunately the phishing and other scams attempts are not about to stop since someone has made the stolen database available for free on 'raidforums'.

https://twitter.com/JimmyMcShill/status/1340733120610447365

Ledger confirmed 

https://twitter.com/Ledger/status/1340769565639233536

[Pmalek]

We can now expect new phishing campaigns by various individuals and hacking groups. The first series of attacks were well-composed and looked pretty good compared to the usual phishing spam by partially illiterate rejects. Now everyone can get access to the database, if in fact it is the real database and not something malware infected.

[hilariousetc]

I'm posting here again because there is something new and unfortunately the phishing and other scams attempts are not about to stop since someone has made the stolen database available for free on 'raidforums'.

https://twitter.com/JimmyMcShill/status/1340733120610447365

Ledger confirmed 

https://twitter.com/Ledger/status/1340769565639233536

It's always only a matter of time before these things go public. The data gets cheaper and cheaper as people resell it on to as many people as they can until it practically becomes worthless or worth very little and finally some cunt just releases it for free. It seems it's behind some sort of a paywall though (if you can call it that) but for only 8 of their forum credits which can either be purchased for less than 8 euros or even earned for free there (I guess they have a similar sort of merit system there as to here where you can reward posts and data leaks etc).

Does anyone know if there's a way to search what data has been released from ledger? It seems that some people only had their emails leaked whilst others had their full addresses and phone numbers. I wonder if there'll be lawsuits over this?

We can now expect new phishing campaigns by various individuals and hacking groups. The first series of attacks were well-composed and looked pretty good compared to the usual phishing spam by partially illiterate rejects. Now everyone can get access to the database, if in fact it is the real database and not something malware infected.

I've had a couple of half-assed attempts already the past couple of days.

[DdmrDdmr]

<…> Now everyone can get access to the database, if in fact it is the real database and not something malware infected.

It look very real to me, much more that we’d like it to be... there are two files:

- The personal data file (purchases) has full contact information for:
8k Spain
17k France
23k Germany
And so on, bearing email, name & surnames, full address and phone number.

- The email has over 1M emails.

What a fuckup … One that does warrant a lawsuit (I’ve seen some talk about it here and there, but not sure how committed the initiatives are).

[Pmalek]

What a fuckup … One that does warrant a lawsuit (I’ve seen some talk about it here and there, but not sure how committed the initiatives are).

I guess someone could file a complaint against Ledger if he suffered financial loss. Not sure what the law is in cases like this were data is leaked but it didn't lead to financial loss. Maybe claiming that the privacy leak caused you distress, sleepless nights, and emotional trauma. It could probably work in the US, but Europe...   

[Lucius]

Does anyone know if there's a way to search what data has been released from ledger? It seems that some people only had their emails leaked whilst others had their full addresses and phone numbers. I wonder if there'll be lawsuits over this?

Just use link from GitHub posted by xoso, click on Ledger.rar -> Go to file -> Click on View Raw and there you can search in buyer txt file or All emails file inside your browser by using CTRL+F.

Thanks, @suchmoon for reminded me of how to search for something inside browser.

[mole0815]

Just received the official mail from noreply@ledger.com

Security Notice
What happened?
We contacted our customers last July to tell them that part of our e-commerce marketing database had been leaked.

Yesterday we were informed about the dump of the content of a Ledger customer database on Raidforum. We believe this to be the contents of our e-commerce database from June, 2020. For specific questions please refer to the FAQ, which we will continue to update to address your concerns.

What information was involved?
At the time of the incident, in July, we engaged an external security organisation to conduct a forensic review of the logs available. This review of the logs enabled us to confirm that approximately 1 million email addresses had been stolen as well as 9,532 more detailed personal information (postal addresses, name, surname and phone number) that we were able to specifically identify.

The database publicly released yesterday shows that a larger subset of detailed information has been leaked, approximately 272,000 detailed information such as postal address, last name, first name and telephone number of our customers. These details are not available in the logs that we were able to analyse.

If you are part of the detailed personal information subset, you will receive a specific email notifying you within the next 24 hours (check your spam box).

It is important to note that this data breach is not linked to our hardware wallets nor Ledger Live security and your crypto assets are safe and not in peril of being compromised. Due to our comprehensive security scheme, attackers cannot steal your sensitive information like recovery phrases and private keys unless you give it to them. You are the only one in control and able to access this information. DO NOT GIVE YOUR 24 WORDS TO ANYONE. Ledger will NEVER ask you for your 24 words.

What we are doing
Since July, we notified our clients in several communications via email, blog posts, and Twitter. We are doing everything possible to make Ledger stronger for the future. We have hired a new Chief Information Security Officer (CISO). We are further hardening our already strong systems and have thoroughly reviewed our data policy. We executed penetration tests and forensic analysis with external security firms to test these and find any additional vulnerabilities on our e-commerce systems.

We are continuously working with law enforcement to prosecute hackers and stop these scammers. We have taken down more than 170 phishing websites since the original breach. We have notified the French data protection authority regarding the data breach and are working with other data protection authorities across the world. Our Customer Support team is working 24/7 to answer your questions.

We are doing everything we can to proactively deal with this critical situation and prevent anything similar in the future. We wish we could turn back the hands of time and make this problem disappear. Unfortunately we cannot, so we are focused on today and the future. Please be sure we are more focused than ever on security in every part of our customer experience.

What you can do
We recommend you exercise caution -- always be mindful of phishing attempts by malicious scammers. Ledger will never ask you for the 24 words of your recovery phrase, not even in Ledger Live. Ledger will never contact you via text messages or phone call.

Furthermore, while we do all we can, we suggest you visit the security section of Ledger Academy to educate yourself on general security principles and more precisely our article about phishing attacks. Also, familiarize yourself with the anatomy of these ongoing phishing campaigns and report any phishing you experience on this dedicated page.

If you want to know if your information may have been exposed previously head to https://haveibeenpwned.com/

We have taken immediate action to resolve the damage, and are diligently working to protect all customer information. We are extremely regretful that this incident impacts our customers and recognize it will take time to restore your confidence. We will do everything in our power to show you that this has made Ledger better, stronger, and more secure.

Sincerely,
Pascal Gauthier
CEO, Ledger

This page contains all the latest info and will be used as a source of info in the future:
https://support.ledger.com/hc/en-us/articles/360015559320-E-commerce-and-Marketing-data-breach-FAQ

[UserU]

Just received the official mail from noreply@ledger.com

Was it categorized under Spam? I received 2, most probably the one you quoted earlier but I didn't want to click on either because of the compromise.

[mole0815]

Just received the official mail from noreply@ledger.com

Was it categorized under Spam? I received 2, most probably the one you quoted earlier but I didn't want to click on either because of the compromise.

The official mails are very rarely blocked and come from @ledger.com

The other Mails often ends up in spam.
Always check the sender (even better header) and always, always, always! be careful.

Some other infos: https://support.ledger.com/hc/en-us/articles/360035343054-Beware-of-phishing-attempts

[TryNinja]

Was it categorized under Spam? I received 2, most probably the one you quoted earlier but I didn't want to click on either because of the compromise.

Mine went to the Spam folder (also from noreply@ledger.com).

I already received 2 phishing emails since yesterday. One of them from "Ledger Alerts", asking me to do a KYC to "unlock" my wallet. =/

[GrosWesh]

I already received 2 phishing emails since yesterday. One of them from "Ledger Alerts", asking me to do a KYC to "unlock" my wallet. =/

I also received 4 phishing emails and 2 phone calls today ...

A lot of people will grab the data n try to launch small scams ...

I think i'll have to change email and phone number ... ty ledger