Ledger database leak --> Phishing

[Csmiami]

The caller requested a password and account identification numbers.

Why do I have the feeling this refers to the seed? Can't really think of any way of loosing the funds on a physicall device just because of a SIM swapping....

[1715487231]

1715487231

[1715487231]

1715487231

[Rizzrack]

Why do I have the feeling this refers to the seed? Can't really think of way of loosing the funds on a physicall device just because of a SIM swapping....

This is what it sounds like. If he "confirmed" the passphrase with the "operator" than it's 100% on him. These thieves can be very tricky but this should be common sense.
I guess this in one of the reasons the masses are reluctant to use crypto, because there is no 0800 number to call and get them back if you do some dumb shit. Both privacy and comfort come with their price tags.
Look on the bright side. In a parallel universe the "Facebook hardware wallet" might have the seed in plain text. At least it's not the case here.

[stompix]

I don't understand what sim swap happened nor how you could blame anybody but the victim in this case.

as-yet-unnamed, called Daly City police on January 14 to report that he received a text from a person purporting to represent telecommunications provider T-Mobile, who said his account was frozen after multiple attempts were made to change his password.

This ain't swim swapping.
If a sim swap would have happened his original sim would have been deactivated by the telecom company and he would have not received any call.
Probably the first one is a different scammer.

He later received a call from a blocked number. The caller identified himself as an operator for Ledger, the crypto wallet hardware company that held the man’s Bitcoin, informing him that his account had been compromised. The caller extracted his passcode and anonymous account identification numbers.

So an unknown guy called him, told him he is a Ledger operator, and got probably the seed from him.
He lost $27k but this was totally his fault.

[Lucius]

So an unknown guy called him, told him he is a Ledger operator, and got probably the seed from him.

Extremely naive and hard to imagine for anyone with at least a little common sense in their head. That user never realized that Ledger doesn't have phone customer support, and that seed is something not shared with strangers. If they had asked him to send them his bank card with a PIN, maybe some jewelry and cash - all of course nicely packaged and with express mail, they might have profited even more

[LoyceV]

So an unknown guy called him, told him he is a Ledger operator, and got probably the seed from him.
He lost $27k but this was totally his fault.

It sounds like they only got his phone number from the Ledger hack. Other than that, it's a "standard" phone scam where the victim gives away access to his money.
Ledger just made it a lot easier by providing a list of Bitcoin users. For "standard" bank phishing calls (or fake tech support calls), most phone numbers can be a potential victim as most people have a bank account or a Windows computer. For crypto that percentage is a lot lower, and multiplied with the percentage of gullible people odds are even worse for the scammer. I can imagine a 1 in 100,000 successful phishing phone call isn't worth the effort, but if Ledger's data breach turned it into 1 in 100(0), it becomes (very) profitable. I'm just speculating on the numbers here of course.

[Daltonik]

A class action lawsuit has been filed against crypto wallet firm Ledger, Shopify for a 2020 customer data breach as reported by the Block   https://www.theblockcrypto.com/post/100860/ledger-shopify-class-action-lawsuit-filed  

According to lawyers, Ledger, as part of its obligations to customers, should have made sure the Shopify service was safe. The companies will have to explain why they delayed in notifying users of the problem. The firm estimates the damages at more than $5 million

[LoyceV]

A class action lawsuit has been filed against crypto wallet firm Ledger, Shopify for a 2020 customer data breach as reported by the Block   https://www.theblockcrypto.com/post/100860/ledger-shopify-class-action-lawsuit-filed  

the complaint references only two Ledger users directly, who together lost 4.2 BTC, 11 ETH and 150,000 XLM to phishing attacks. At today's prices, those holdings add up to $340,000

This is a bit far-fetched in my opinion. The only way for phishing to work, is if the user did something very dumb. A targeted $5 wrench attack would make it easier to blame Ledger.

The firm estimates the damages at more than $5 million

That's less than $20 per user who's data they leaked. Enough to buy their own wrench to defend themselves?

[hilariousetc]

A class action lawsuit has been filed against crypto wallet firm Ledger, Shopify for a 2020 customer data breach as reported by the Block   https://www.theblockcrypto.com/post/100860/ledger-shopify-class-action-lawsuit-filed  

According to lawyers, Ledger, as part of its obligations to customers, should have made sure the Shopify service was safe. The companies will have to explain why they delayed in notifying users of the problem. The firm estimates the damages at more than $5 million

I was wondering if anyone was going to start a lawsuit over this. Not sure how successful it will be and it's obviously mostly shopify's fault than ledger's but maybe it'll set a new precedent if it is successful, but one thing I do hope is that it calls for better storage of customers data. If they can't keep this safe then there should be consequences. I already hate giving out scans of stuff signing up to exchanges especially when I know it can end up leaked on the web and can lead to doxing of users here. If these companies cant be trusted to keep things watertight then they should probably lose their licence or companies should withdraw from using them.  I tried signing up to a crypto platform recently and not only did they want scans of my stuff but a selfie with my ID. Fuck that. They don't even ask for that when you open up a bank account here or on some other investment platforms I've used so no idea why this is necessary and I don't fancy a picture of me with my ID potentially floating around the darknet. The irony is once this sort of info gets leaked it can and will likely be used for malicious stuff so it kinda becomes pointless especially when people start committing crimes in your name with your ID and docs. I wonder how they even store this stuff. Once received do they mark or brand it somehow so nobody else could use it if it ever was leaked somehow? It needs to be better encrypted at least. Once it's verified nobody should be able to see it other than maybe law enforcement if they have a warrant. I saw that facebook had a huge breach leaked onto the clearnet recently including Zuckerbergs personal phone number. If companies can't be guaranteed to store this stuff safely then they shouldn't be allowed to hold it in the first place.

[LeGaulois]

Boeing 737 Max crashed several times due to malfunction. Who is to blame? The manufacturer Boeing, or the airlines that used this kind of aircraft.

The company Ledger followed in a timely manner the law regarding a data breach within RGPD. They are in the rules.
Funny to see how people are upset and now pay lawyers, knowing they did nothing when they had the opportunity to ask to Ledger to delete personal information obtained about them.

But now they all are shouting 

[stompix]

Forget about wrench, i doubt $20 is enough to change phone number (on some parts of the world) and email address (if you use paid ones).
And talking about physical threat, let's hope the theft doesn't use gun or other more dangerous weapon

A phone number change is actually free of charge with my carrier, but the troubles of notifying all your contacts, if you used that phone for business changing it will result in far more material damages, same for the email, but at least that is something I'm not concerned of, I've received some phishing emails but things have come to a stop.
The home address is the troublesome part, you never know what stupid ideas might run through some desperate people's brains especially in these times when a lot don't have money and all over the news they keep pushing the narrative on how a few BTC can set you for life.

I tried signing up to a crypto platform recently and not only did they want scans of my stuff but a selfie with my ID. Fuck that. They don't even ask for that when you open up a bank account here or on some other investment platforms I've used so no idea why this is necessary and I don't fancy a picture of me with my ID potentially floating around the darknet.

I think this has got out of hand with this whole verification stuff, I've too opened betting accounts and they never asked for a copy of my id, I've been with Betfair for 7 years and all they've asked was a bank statement when I chose to withdraw money via bank and no to the card with which I deposited. That's was all, and now some shitty exchange wants a picture of my id, a selfie with the id and the new step is to activate your camera and do a video of yourself, looking right and looking left and ...clicking the x button and saying fy and your platform!!

And the most annoying fact is that they don't even care how real those documents are, nobody actually checks them, and even if they would want to most of them have no real legal way of doing so.

[dkbit98]

Better start preparing your backup phrases to be imported in some hardware wallet from other manufacturers guys,
and make room in your boxes with junk hardware devices and old mp3 players, because if ledger loses this lawsuit it is going to be Au revoir for them.
That is what you get when you don't respect privacy and when you have bad communication with your customers related with multiple leaks, but that is not all
and I am hearing some rumors that new lawsuits may be coming soon from Europe so stay tuned and follow the news.

Look at the bright side of things, we can still use ledger as two factor authentication device with Fido U2F.

[LoyceV]

Look at the bright side of things, we can still use ledger as two factor authentication device with Fido U2F.

You don't need "Ledger the company" to use their hardware (for instance in combination with Electrum).

[dkbit98]

You don't need "Ledger the company" to use their hardware (for instance in combination with Electrum).

But you do need them to update and fix bugs in their closed source software, and I think you know what happened with ledgerHW1 and ledger blue

[malevolent]

Funny to see how people are upset and now pay lawyers, knowing they did nothing when they had the opportunity to ask to Ledger to delete personal information obtained about them.

Ledger was the one asking for and needlessly storing/transmitting peoples' info, so it was on them to keep it secure if they didn't want to delete it.