Hope people that give out personal address safe? Ledger wallet users' attacks

[mk4]

I don't know about others but to me, this is way too much information for a third party site. You don't give off all this much private details just to a third party site just to ensure to protect your privacy. Compliance with these needed information had very much made your data go public already. You don't know the person at the other end and in cases as these. In issues of privacy data, the less known to the third party, the more safe you are.

Ledger really need to look into there terms of service because it's really compromising a lot. Having a users private details like home address could lead to blackmailing and other crimes especially with the fact that, a user's wallet address could be scanned to know its content. It's not a fair way to operate.

You do realize that they really need to have your personal information(including your home address) for them to be able to ship out the purchased products to you, right?

[1715637168]

1715637168

[1715637168]

1715637168

[1715637168]

1715637168

[1715637168]

1715637168

[1715637168]

1715637168

[20kevin20]

The question is should we follow the security tips from the Ledger company that allowed such a data leak? It seems to me they have no idea how to hide something sensitive and important. The leak of that data may result not only in a loss of funds but also in a loss of someone's lives, which is obviously more important than bitcoins stored on Ledger hardware wallets.

The leak doesn't have anything to do with additional security features their products have. If you're paranoid about their temporary PINs, then there are so many other things you should worry about as well - ending up not owning any hardware at all. They might've had shitty database protection, but their products have been long tested. Still unsure what their Secure Element does though - that is a big question mark for me as well, and it makes me kinda paranoid about its existence.

In my opinion, plausible deniability in such a case won't help since attackers are usually well aware of any tricks that one may come up with a Ledger hardware wallet. You don't think they'll leave you alone after taking your $100, do you? Personally, I doubt it.

Well, if that's the case then they may also not leave you alone even after giving the temporary password. Luck matters here too. If they're ready to take everything from you and leave you without life afterwards, then no matter what you do you'll still have to face death.

It is better to get rid of your Ledger altogether and try to persuade attackers you had sold all stupid bitcoins and stupid hardware wallets because it was dangerous to deal with those after a leak happened. Otherwise, once you show you still have it, you are most likely done.

Quite sure negotiation isn't an option when an attacker is inside your home. You either show it or you don't, they don't have time for stories.

And sure, there's a decent chance that the thief might know about the temporary PIN trick, but it's at least worth trying to pull it off.

Then one could set up multiple temporary PINs - one for cases such as hostage and torture, one for the actual portfolio you own. If someone ever attacks you, show them the main password. If they keep insisting to give away a temporary password as well, give them the one ready specifically for this purpose.

[jseverson]

I'm not sure if this has been posted elsewhere on Bitcointalk, but I came across this on reddit:

https://www.reddit.com/r/ledgerwalletleak/comments/ki1nsz/received_phone_call_threatening_kidnapping_and/

Basically a leak victim being threatened with violence. Yikes. If you personally had your info leaked, you may want to drop by there; they seem to trying to organize a class action lawsuit.

[1miau]

One more reason to avoid 3rd parties at any cost. It's completely sick to see how Ledger handled this. Collecting so much data and storing it instead of deleting it immediately (which would be risk enough) they are storing it insecurely. Insane.
I would imagine that they know, as leading hardware wallet manufacturer, that they are increasily targeted by hackers, especially when Bitcoin gets more famous.

So now, we have local criminals using stolen addresses of crypto owners, criminals who know exactly that these people are likely holding crypto and where they live. Good riddance.


https://xkcd.com/538/

Luckily I haven't bought one and I will more than ever avoid to buy one and sending them my personal data. Their devices are a good solution, yes, but I see too many downsides compared to using my personaly paper wallets.
And some sort of downplaying the issue by trying to cover it up is even more insane. Maybe they didn't know how many users were hacked, it's really hard to tell...

When you buy a hardware wallet via official Ledger website the following information is collected; it stored for a long time:

- Your name (first name, last name);
- Your e-mail address;
- Your postmail address;
- Your phone number;
- Your physical address and other contact details;
- Your credit card number;
- Your other payment information;
- When you contact customer support, they will record and store their correspondence with you;
- You also may be asked to perform a small KYC procedure when contact customer support;
- Your IP address;
- Your operating system;
- The type of device you use;
- Date and time you visit the website;
- Browsing Data (information about your visit including the URL clickstream to, through and from our website, products you viewed or searched for, download errors, length of visits to certain pages, page interaction)

Source: https://shop.ledger.com/pages/privacy-policy

That's insanely irresponsible...

[Charles-Tim]

The ledger data breach that led to 1,075,382 emails addresses of users that subscribed to Ledger newsletter being compromised, including 272,853 hardware wallet orders which led to email addresses, physical addresses and phone numbers being compromised also. There has being some ledger users commenting about physical attack that could result. According to today's news, this are recent things that have happened:

Normally, the phising attempts is clear in a way that phishing messages are sent to ledger wallet owners but recently this is possibly leading to sim swap attack and physical threat.

https://www.coindesk.com/ledger-leak-sim-swap-home-invasion-threats
As soon as he learned he was among the thousands of Ledger customers whose personal information had been published online Sunday, JimboChewdip, as he’s known on Twitter, acted fast. Not fast enough, however.

JCD, as we’ll call him, spent Monday morning changing his passwords, only to get a notification a new device had been added to one of his two-factor authentication (2FA) accounts. He then tried to log into his email. It was locked.

“Within minutes I started getting notifications about password changes on Coinbase, Binance, Dropbox,” he later told CoinDesk. “I tried to call T-Mobile over Wi-Fi but it wouldn’t work with the SIM disabled so I reached out to them on Twitter and got someone from Support to lock my account.”

“By the time I got into my Coinbase Pro account and checked the balance, there had been a sale of the coins I held to bitcoin and one withdrawal of the entirety of my account,” he said. “No response from Coinbase support.” Around $2,000 worth of cryptocurrency was gone.

While he can’t prove the SIM-swap attack executed against him was tied to the Ledger leak, “the timing is certainly suspicious,” he said.

https://www.coindesk.com/ledger-leak-sim-swap-home-invasion-threats
Even more ominously, some users have received physical threats. In one instance, a user allegedly received an email from someone trying to extort their cryptocurrency by saying they were “not afraid to invade their home.”

On Tuesday, Ledger, based in Paris, tweeted that “there has been a new wave of phishing attacks taking place since yesterday, threatening our users physically” and that victims should never pay the ransom.

[Darker45]

It looks like that I am of those compromised data that has been leaked online. Has anyone received a similar email from [1] https://haveibeenpwned.com/?. Though I am certain that nothing will happen on my bitcoin that is stored in their products, still, I am anxious about how can these physical attack be possible? Like seriously? That's a million number of email and other confidential personal information.

If you were one of those whose information was compromised in the "July website database breach," you would have received an official email coming from Ledger itself, noreply@ledger.com, informing you that "Your personal information has been exposed." I got mine a couple of days ago.

I don't think haveibeenpwned.com is officially tasked by Ledger to send information about the breach. If your account is somehow pawned as indicated in the notification, it may not refer to the Ledger breach.

[Maus0728]

If you were one of those whose information was compromised in the "July website database breach," you would have received an official email coming from Ledger itself, noreply@ledger.com, informing you that "Your personal information has been exposed." I got mine a couple of days ago.

I've scanned my inbox a few more times but I didn't receive any email from Ledger itself, only haveibeenpwned.com who notifies me about the current incident. Though it maybe comforting, still, we can't deny the fact the Ledger's database has been leaked  ..

I don't think haveibeenpwned.com is officially tasked by Ledger to send information about the breach. If your account is somehow pawned as indicated in the notification, it may not refer to the Ledger breach.

This their heading followed by numerous link that I also don't bother to click anyways. With the being said, I have learned an important lesson that these incident will happen regardless of how reputable the company is..