Ledger database leak --> Phishing

[DdmrDdmr]

<…>

After seeing the Security Notice around, I was going nuts on my threads on B&H & Local, trying to decipher if the Security Notice referenced the same leak or a different one. That should be made crystal clear on the notice, as people need to understand things the first time around, not needing to infer, guess, or require further investigations.

This does mean though, that data is treated even more poorly that one could suspect. Being Shopify their e-commerce platform partner, it turns out that, seemingly, data is held both by Shopify and Ledger (something that I have not managed to read on their website). That is gross to say the least. As a customer, you are providing (and wishing you hadn’t) data to Ledger (and any thung in the aftermaths). I doubt any purchaser was aware that data was retained by Shopify.

This is therefore now void: https://www.ledger.com/our-ecommerce-database-has-not-been-hacked

[1714045806]

1714045806

[1714045806]

1714045806

[1714045806]

1714045806

[malevolent]

This does mean though, that data is treated even more poorly that one could suspect. Being Shopify their e-commerce platform partner, it turns out that, seemingly, data is held both by Shopify and Ledger (something that I have not managed to read on their website). That is gross to say the least. As a customer, you are providing (and wishing you hadn’t) data to Ledger (and any thung in the aftermaths). I doubt any purchaser was aware that data was retained by Shopify.

Most companies tend to admit somewhere, either in their terms of service, or in their privacy policies, that the company will or reserves the right to share (usually a lot of) information relating to the customer or the customer's orders.

And Ledger is no exception:

https://shop.ledger.com/pages/privacy-policy

We may also transmit some of your data to third parties such as payment services, infrastructure, logistics, and other services providers.

We enter into contractual arrangements with these third parties to ensure that personal data they could have to process for the provision of their tasks is adequately secured and that your privacy is protected. These providers have privacy policies which you may refer to for information about how they process your information and how to exercise your data subjects’ rights as provided under Applicable Laws. All personal data processed by these third parties shall solely be used to perform the services they provide to us and for the purposes set out in this Privacy Policy.

In certain circumstances and only where required by Applicable Laws, we may disclose some of your data to competent administrative or judicial authorities or any other authorized third party.

emboldening mine

Is the buyer aware of all providers that get to access their data and possibly store them indefinitely?

[stompix]

Bad news from Ledger (again).

Oh crap, oh crap, oh please no!
I'm one of the lucky ones (!?) with the email leaked but not with the address and other details, I pray for it to stay the same!
No new email received...yet!

Checking again the spam folder, I've just got the third phishing email, the same stuff with google forms, this time they didn't even bother to write anything down just the link and that's all at least the previous ones were informing me that my wallet was deactivated!

Can't they just send all customers a big sign to put in front of their house? "Ledger owner here!"

Lots of house sellers might have to start adding a few reasons for their discounts
- ancient burial ground
- murder committed
- address leaked in ledger hack and prone to a home invasion

But this thing is so damn creepy, there is a guy in my neighborhood with the address leaked, he is living (or he had) in the block of flats exactly in front of me!

[lovesmayfamilis]

Now Ledger has big plans. To restore user confidence, Matt Johnson told what changes will occur in the near future, so that the case of data breaches will not happen again.

Delete, delete, delete
Moving forward, Ledger will delete data from its e-commerce partner as well as move customer data to a database that can’t be accessed from the internet as soon as your order is fulfilled, before deleting it as soon as they’re legally able.

The company will also be deleting names, addresses and phone numbers from confirmation emails sent to customers so that this data is not passed through third-party e-commerce email providers.

The email and social media will only be used for marketing messages and announcements, Ledger Live accounts are being set up to communicate technical and security information, seemingly to avoid instances of previous phishing scams, in which scammers encouraged Ledger users to download important security updates via genuine-looking emails.

https://www.coindesk.com/ledger-bitcoin-bounty-new-data-security-after-hack

Of course, we can say that a leak is equated with a human factor, and few people are insured against it. Here the expression "lock the barn door after stealing a horse" is very appropriate.

[DdmrDdmr]

<…>

Thanks. I was searching for the term Shopify, wanting to see if there was an explicit mention to their partner, but it seems to be camouflaged amongst the classic generic clauses.

From a conceptual point of view, there does not seem to be a reason for Shopify to retain customer data once the purchase TX has been fulfilled. After all, there seemingly is no customer record the user can go back to in order to view or edit information about his orders.

It’s not explicitly clear how the data flow works between Shopify and Ledger, although I figure that the data record to fulfil the order goes first to Shopify, and then a copy is transferred over to Ledger, in order to store and build it’s customer’s database. If Shopify acts as a mere gateway, there does not seem to be a conceptual reason for them to retain the data in this particular case.
It could nevertheless be that Ledger uses a subset of Shopify’s services and capabilities, which, for other Shopify clients (corporations), may require managing the customer database in a more perpetual way. Looking over their website, it does seem that the platform can manage customer records for their clients, since amongst the features for their platform are those to manage customer accounts and customer profiling.

Ledger may be minimizing the functionality it uses, but the workflows are bound to be subsets of Shopify’s platform, and if the platform inherently stores customers and orders, even if we as users don’t have access to such functionality, it’s probably there, subjacent, storing customer data because the platform’s functional structure and functionality requires it.

Ledger customers are certainly not aware of this, and the generic paragraphs they use may cover, but do not easily allow users to figure this is happening under the hood. Mind you, it’s not something specific to them, which is not an excuse.

Note: I’ve just increased my 24h, 48h ratios …

[Lucius]

I have received an email today, That I'm from one of those unfortunates, whose data has been leaked. 

Unlike all those data that have become publicly available, these 22 000 new ones hacked with Shopify are not, as far as I know, publicly available. Which means it all depends on the hacker, maybe they will use the database only for themselves, and maybe at some point they will decide to sell it or make it public.

Oh crap, oh crap, oh please no!
I'm one of the lucky ones (!?) with the email leaked but not with the address and other details, I pray for it to stay the same!
No new email received...yet!

Then you are really lucky if you are not among the 292 000 users who have been unlucky so far. Email spam is something you can definitely live with, but when you start getting text messages and calls on a daily basis that include threats to you and your family if you don’t hand over the seed, then things get a lot harder to bear.

This does mean though, that data is treated even more poorly that one could suspect. Being Shopify their e-commerce platform partner, it turns out that, seemingly, data is held both by Shopify and Ledger (something that I have not managed to read on their website). That is gross to say the least.

What else to say but that it is pure amateurism in collecting data and storing it. I'm just wondering (like many others), are these all the unpleasant surprises that will come from Ledger or is there something else we haven't learned yet. Either way, I will sleep much more peacefully when Ledger is no longer my primary hardware wallet.

[hilariousetc]

I have received an email today, That I'm from one of those unfortunates, whose data has been leaked.  

Unlike all those data that have become publicly available, these 22 000 new ones hacked with Shopify are not, as far as I know, publicly available. Which means it all depends on the hacker, maybe they will use the database only for themselves, and maybe at some point they will decide to sell it or make it public.

To be honest, the wise thing to do from the hacker's perspective would be to try utilise it themselves and grab what they can then I'm sure they'll sell it on to the highest bidder once they've milked it for all its worth and then they'll sell it and so on until it becomes worthless/public like the last batch did.

Oh crap, oh crap, oh please no!
I'm one of the lucky ones (!?) with the email leaked but not with the address and other details, I pray for it to stay the same!
No new email received...yet!

Then you are really lucky if you are not among the 292 000 users who have been unlucky so far. Email spam is something you can definitely live with, but when you start getting text messages and calls on a daily basis that include threats to you and your family if you don’t hand over the seed, then things get a lot harder to bear.

If your phone number is out there like this then you should just change it as it will be passed around spammers like a hot potato and will end up on all sorts of scammers and marketing lists. Probably best to change your email as well. All it does it make you an easier target if you continue to use it.

Now Ledger has big plans. To restore user confidence, Matt Johnson told what changes will occur in the near future, so that the case of data breaches will not happen again.

Delete, delete, delete
Moving forward, Ledger will delete data from its e-commerce partner as well as move customer data to a database that can’t be accessed from the internet as soon as your order is fulfilled, before deleting it as soon as they’re legally able.

The company will also be deleting names, addresses and phone numbers from confirmation emails sent to customers so that this data is not passed through third-party e-commerce email providers.

The email and social media will only be used for marketing messages and announcements, Ledger Live accounts are being set up to communicate technical and security information, seemingly to avoid instances of previous phishing scams, in which scammers encouraged Ledger users to download important security updates via genuine-looking emails.

https://www.coindesk.com/ledger-bitcoin-bounty-new-data-security-after-hack

Of course, we can say that a leak is equated with a human factor, and few people are insured against it. Here the expression "lock the barn door after stealing a horse" is very appropriate.

I think this needs to be a wake up call for people more than anything to know that you can't really trust any company with your data and to take appropriate cautions when you give away stuff like this ie don't use a phone or email that could lead to further complications. A company can have water-tight security but a rogue employee can always steal the info as happened here so no company is safe.

[m2017]

I have received an email today, That I'm from one of those unfortunates, whose data has been leaked. 

Unlike all those data that have become publicly available, these 22 000 new ones hacked with Shopify are not, as far as I know, publicly available. Which means it all depends on the hacker, maybe they will use the database only for themselves, and maybe at some point they will decide to sell it or make it public.


Then you are really lucky if you are not among the 292 000 users who have been unlucky so far. Email spam is something you can definitely live with, but when you start getting text messages and calls on a daily basis that include threats to you and your family if you don’t hand over the seed, then things get a lot harder to bear.

292 000 users? Isn't it too little for a company that has sold tens of millions of devices?

This is a terrible oversight and negligence for Ledger, a loss of reputation and trust.

I hope that this negative experience will change the attitude of companies that process personal data towards their users and information about them for the better.

I also think that this case is a vivid example of the fact that you cann't be 100% trusted by companies and you need to take care of your privacy yourself.

[Lucius]

292 000 users? Isn't it too little for a company that has sold tens of millions of devices?

Where did you get that information? According to what Ledger publicly acknowledged last year, there are just over 2 million devices sold in total. It would be interesting to know how many unique customers there are, as many have bought more than 1 device over the years - although the Model S is the most popular, there were models before it - Ledger HW 2014

The most popular hardware wallets: more than 2 millions units sold all over the world

[Marvelman]

This is a terrible oversight and negligence for Ledger, a loss of reputation and trust.

Yes. What Ledger did was needlessly damage their customers, whether intentional or otherwise. Yet, Ledger doesn't make any attempt to refund the money, although it seems logical to assume that such an action would have made things better.

I also think that this case is a vivid example of the fact that you cann't be 100% trusted by companies and you need to take care of your privacy yourself.

Exactly. Dont give out any information that could be used to identify you to people. If you are a legal adult, there is no law against being anonymous.

[bob123]

What Ledger did was needlessly damage their customers, whether intentional or otherwise.

I heavily doubt they intentionally damaged their own reputation for no good reason other than hurting themselves.
This sounds like a obscure conspiracy theory to me.

As if they have planned to hurt themselves and lots of their customer..

Yet, Ledger doesn't make any attempt to refund the money, although it seems logical to assume that such an action would have made things better.

It seems logical?
Do you really expect a company to pay back the money it got for a completely functional product? Because there was a database breach which does not affect the product at all?

This is a delusional thought.

[Marvelman]

It seems logical?
Do you really expect a company to pay back the money it got for a completely functional product? Because there was a database breach which does not affect the product at all?

This is a delusional thought.

Delusional thought? I do not think so. Obviously you are not familiar with the GDPR regulations of the European Union.

The GDPR gives you a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. ... You do not have to make a court claim to obtain compensation – the organisation may simply agree to pay it to you.

source: https://ico.org.uk/

You can claim compensation if a company or organisation hasn’t respected the data protection law and you’ve suffered material damages (for example financial loss) or non-material damages (for example distress or loss of reputation). You can make a claim to the company or organisation concerned or before the national courts. You can claim compensation before the courts of the EU Member State where the controller or processor is established. Alternatively, such proceedings may be brought before the courts of the EU Member State of your habitual residence.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/can-i-claim-compensation_en

[LoyceV]

GDPR regulations of the European Union.

The GDPR gives you a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. ... You do not have to make a court claim to obtain compensation – the organisation may simply agree to pay it to you.

Any damage caused has no relation to the price of the product they sold. It would be interesting to see if similar cases have been won. I found this:

In line with Article 6:106 (1)(b) Dutch Civil Code, the burden of proof is on the claimant to demonstrate it suffered damages, which can be particularly challenging in privacy cases.

In this case, a municipality shared personal data with other municipalities, which makes the burden of proof very difficult: there is no direct damage. In Ledger's case, if their recklessness for instance forces you to move due to threats, the burden of proof becomes much easier. The damage will be much higher than the cost of their USB wallet.

[Marvelman]

No, there is no direct damage in Ledger's case, but one may argue for non-material damages (for example distress). And I agree that any damage incurred is not directly related to the price of the product.

I think this story regarding Ledger is far from over.

[Csmiami]

----

This is a great thing to know, but there is a big BUT.

To put some context into it, I did file a complaint to my state data protection agency on the 7th (still no answer) and as I was browsing their site, I found the following regarding things they cannot do:

If you wish to request compensation for how your private data has been handled, you'll have to go to trial/tribunals.

I strongly suspect that the rest of the European data protection agencies will have if not the same, very similar procedures. If we (or anyone) wants a compensation, they'll have to fight for it either on their own, or as a batch of angry customers in front of a judge. However, I do believe that if a data protection agency deems the data treatment incorrect, it'd be very very very (extremely) hard for Ledger to reason otherwise should a a trial arrive

[hilariousetc]

What Ledger did was needlessly damage their customers, whether intentional or otherwise.

I heavily doubt they intentionally damaged their own reputation for no good reason other than hurting themselves.
This sounds like a obscure conspiracy theory to me.

It sounds like a shitpost to me. This is probably the worst thing that could happen to Ledger as a company. They'll lose millions in business, will probably face at least some lawsuits whether they'll be successful or not and a lot of confidence in them will be lost. If they could have avoided this they would have.

It seems logical?
Do you really expect a company to pay back the money it got for a completely functional product? Because there was a database breach which does not affect the product at all?

This is a delusional thought.

Delusional thought? I do not think so. Obviously you are not familiar with the GDPR regulations of the European Union.

The GDPR gives you a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. ... You do not have to make a court claim to obtain compensation – the organisation may simply agree to pay it to you.

source: https://ico.org.uk/

You can claim compensation if a company or organisation hasn’t respected the data protection law and you’ve suffered material damages (for example financial loss) or non-material damages (for example distress or loss of reputation). You can make a claim to the company or organisation concerned or before the national courts. You can claim compensation before the courts of the EU Member State where the controller or processor is established. Alternatively, such proceedings may be brought before the courts of the EU Member State of your habitual residence.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/can-i-claim-compensation_en

This would be a nightmare to enforce and fraud would be widespread. How would you even prove you were effected? All you would need to do was send your coins to another address and then complain you've been hacked. There's no real way to verify it. At the end of the day it was still the users that sent the money elsewhere. When this sort of fraud happens with fiat banks if the owner of the account willingly sent the funds in most cases they bank won't refund them.

[Csmiami]

This would be a nightmare to enforce and fraud would be widespread. How would you even prove you were effected? All you would need to do was send your coins to another address and then complain you've been hacked. There's no real way to verify it. At the end of the day it was still the users that sent the money elsewhere. When this sort of fraud happens with fiat banks if the owner of the account willingly sent the funds in most cases they bank won't refund them.

That goes for material damages, but this case is not really about them (or at least if you had some common sense). Honestly, the first days the database was made public I had very stressfull evenings, overthinking what could happen next, knowing my data was out there and directly related to crypto. The first people reporting some (pretty lame) extortion attempts didn't help with the overthinking; although I knew that even if I received any email of that type I'd probably just laugh and tell them to change from legacy to segwit . Now that some time has passed, I am indeed more calmed, but the pshychological effect of having everything out in the open is still there, and if there was any reason to actually ask compensation for, I think that should be it. So non-material damages, although harder to prove, are our best option against the company

Small disclaimer: Although I'd love to see some kind of compensation, I haven't really filed a complaint because of that, but because I want to see ledger burn; paying a couple of hefty fines would indeed make me a little bit happier. It's not the first time I've said I'm not after the money here

[Marvelman]

As Csmiami pointed out, I wasn't really talking about material, but non-material damages. And it's not that hard to prove if I start getting a bunch of threatening messages in my email inbox or on my phone number.
Of course, some will say, change your email address and your phone number, or even your home address. But why should we bear all the consequences and not those who are directly responsible?

I didn't actually think Ledger did this on purpose. I said that part wrong. But I do believe they were aware of the incident, but they deliberately tried to cover it up and downplay it until the hacked data surfaced in public.

[stompix]

Yet, Ledger doesn't make any attempt to refund the money, although it seems logical to assume that such an action would have made things better.

Better? I doubt it!
People who are pissed about this leak are the ones afraid of their safety, and I find it hard to believe 100$ would make things better unless that's the maximum point at which you value your life. Refund everybody, they will claim bankruptcy, and what has been fixed? Nothing!
You get a free product that is no longer covered by any warranty and that's all.

Delusional thought? I do not think so. Obviously you are not familiar with the GDPR regulations of the European Union.
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/can-i-claim-compensation_en

You missed one point, first, someone will have to prove in court that Ledger did not take all required actions in order to protect the data, if Ledger is not found guilty of that in court then all your claims against them will be void.

I didn't actually think Ledger did this on purpose. I said that part wrong.

Then you don't have a case.

But I do believe they were aware of the incident, but they deliberately tried to cover it up and downplay it until the hacked data surfaced in public.

Now, if you really are keen on making ledger pay there is a different article on which you can make claims, but again this is way harder to prove in court is about informing the affected party of the security breach without delay, thing Ledger hasn't but here you will have to prove again that without the delay you could have taken measures to avoid ..whatever your claim will be.

As I see the situation now, Ledger has high chances of getting away with it, probably only a few of the customers will go to court as there are a lot of things stopping some to do so, besides being in a foreign country, not wanting to lose time and money in legal battles there is also something else. Some will avoid coming out in public, I know for certain that right now at least a few are more concerned about the IRS or its national counterpart than hackers.
That being said I think Ledger will be punished by customers more than the court, right now for me buying any type of hardware wallet is out of the question, I know that I won't be twice lucky so I'm going DIY from now on.

[Daltonik]

A Ledger user lost $27,000 in bitcoins by swapping a SIM card. The californian received a message from the mobile operator T-Mobile about the freezing of the account after unsuccessful attempts to change the password. The information was confirmed by the specified phone number.

The user received a new password to the email linked to the Ledger cryptocurrency wallet. Later, he received a call allegedly from the developer company and was informed about the hacking of the storage.
The caller requested a password and account identification numbers. A resident of California passed the data and after checking the wallet found the missing bitcoins.

https://www.ktvu.com/news/daly-city-man-scammed-out-of-27000-in-bitcoin