mk4
Legendary
Offline
Activity: 2926
Merit: 3881
📟 t3rminal.xyz
|
|
December 23, 2020, 03:56:25 AM |
|
I fully understand that Ledger was most attractive to scammers as they are market leaders, but still they should focus more on the safety, and maybe not keep customer database if it's not required by some law. Why not just keeping email and that's it? Considering what they are selling, they should be fully aware of the repercussions if something goes wrong, like it happened now.
It sure is required by law for them to store user’s data for some time. Not only by law, but also for stuff like customer service and stuff. Well this is not going to happen for Trezor wallet exactly like that because SatoshiLabs have much better policy regarding keeping all customer data information and I think they delete everything after some time and you can ask them to delete everything at any time. I don't support Trezor in any way, just saying the facts and Trezor have their own problems also.
They still store people’s data for 3 months. That fact doesn’t make them invulnerable to breaches, it’s just that the potential repercussions of a breach could mostly be less drastic, but it would still end up being a disaster. If I read their statement in the email correctly, the data was leaked due to a fault in their e-commerce API. Let's not imply, therefore, that this can happen to anyone. This is nothing but a Ledger's negligence.
..and that’s just one of many ways on how a database can be breached. It’s no doubt Ledger’s fault, but such breaches can definitely happen to anyone; yes, even to the tech giants. Yes, even our beloved home, Bitcointalk got hacked sometime in the past.
|
|
|
|
pakhitheboss
|
|
December 23, 2020, 05:34:39 AM |
|
Well, only the data was hacked and not the actual physical wallet. Therefore do not stop using this wallet as it is still the best that we can have at that price.
What you guys can do is to change your email address or stop responding to those emails and if possible the phone number. I do not know what will those guys do whose physical address has been compromised.
I am not promoting this product but I do not see any other product that matches its security.
|
|
|
|
xxjumperxx
Sr. Member
Offline
Activity: 574
Merit: 272
Buy Bitcoin!
|
|
December 23, 2020, 06:24:38 AM |
|
Nope. Seriously done using the ledger... Im not going to support or recommend a company that preaches security but leaks customer private data via an API and is terrible in letting users know. They let us know that only a small portion was stolen and now after the fact let us know, oops its alot bigger portion.
Yeah, I done with them.
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4361
<insert witty quote here>
|
|
December 23, 2020, 07:29:03 AM |
|
They didn't leak data via a "publicly available API"... it was supposedly "a misconfigured, third-party API key" that allowed unauthorised access. How did this happen?
An attacker gained access to a portion of our e-commerce and marketing database through a third party’s API key, which allowed unauthorized access to our customers’ contact details and order data. .... Since when does this issue exist?
The third party API key misconfiguration at issue has been running since August 9th, 2018. Based on the evidence and log we have, we believe it was discovered and exploited from April 2020 to June 28th, 2020.
It's not like they just left the data sitting out in the open for anyone to access... Unfortunately, that doesn't change the fact that a lot of private data was stolen and has now been placed in the public domain Really sucks for the 272,000 who have been affected by this... I don't see Ledger's reputation recovering for a long, long while.
|
|
|
|
witcher_sense
Legendary
Offline
Activity: 2450
Merit: 4415
🔐BitcoinMessage.Tools🔑
|
|
December 23, 2020, 07:56:55 AM Merited by vapourminer (1) |
|
They obviously have the txids of all the payments they have received, as they know the private keys of all the addresses they have received payment to. I don't think it would be a major breach of trust for a company to keep track of how each of their customers paid. They obviously need to keep track of if each customer paid or not.
I thought you were talking about something else, namely surveillance through their Ledger Live app. Do you mean they have all the information about people who bought a hardware wallet and paid with bitcoin? Of course, they have, and they record every transaction, each generated payment address is already associated with a particular person. All this is clearly stated in their Privacy Policy, they record almost everything about their customers. The bitcoin blockchain is transparent, and the possibility of customers' payment information leakage is high. That is why users should know beforehand what effective privacy techniques there are, how to reveal as little information as possible about how much bitcoin they got.
|
|
|
|
Smartvirus
Legendary
Offline
Activity: 1610
Merit: 1151
Playbet.io - Crypto Casino and Sportsbook
|
|
December 23, 2020, 07:58:22 AM |
|
What worries me is that the criminals have gotten the physical addresses. We can change our email address, but our physical home? Yes, most likely this "cyber" criminals won't target our home, but it is not far fetch, and it could happen in the future.
So for Ledger users, we really need to be very very careful here, just saying.
That where the hit of the problem comes into play. some have got history with their home and as such a possible relocation for reasons of safety is often off the menu. This is how tangled and compromising ledger has got situation for a few users and with there terms of service, its unlikely possible to by pass filling in some necessary but compromising details and yet enjoy the full extent of a rather needed service. It becomes a problem, having your identity and address known and with the fact that your wallet address could be scanned easily and your worth or income relatively determined makes this escaped details a life threatening one. Issues with emails can be resolved though not easily but then, its really disturbing when these security bridges happen. Ledger has to ensure extreme care on the people they work with as staff and the tight security protocols on its systems.
|
|
|
|
decodx
|
|
December 23, 2020, 11:35:21 AM |
|
They didn't leak data via a "publicly available API"... it was supposedly "a misconfigured, third-party API key" that allowed unauthorised access.
Potayto, potahto. What difference does it make? The fact remains, they shouldn't have allowed customer data to be made accessible through any API, either in-house or third-party. And as for their argument, please forgive me if I take it with a grain of salt. We all know what their first response to the incident was in July.
|
|
|
|
define930809238282
Newbie
Offline
Activity: 1
Merit: 0
|
|
December 23, 2020, 05:34:25 PM |
|
they shouldn't have allowed customer data to be made accessible through any API, either in-house or third-party. Not defending Ledger, but every business that asks for your information flows through an API. I'm a software engineer, an API to serve customer data is industry standard. But the industry standard is to secure your API. Ledger probably had poor security hygiene practices internally, which led to this.
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4361
<insert witty quote here>
|
|
December 23, 2020, 08:01:31 PM |
|
Not defending Ledger, but every business that asks for your information flows through an API. I'm a software engineer, an API to serve customer data is industry standard. But the industry standard is to secure your API. Ledger probably had poor security hygiene practices internally, which led to this.
As far as I can tell, they're claiming that it was a third-party service responsible for marketing, some outfit named "Iterable"... Who is the third party solution? Why were they processing customers’ data?
Ledger e-commerce and marketing teams use a third-party solution (Iterable) to send and analyze transactional and marketing emails to customers who have bought products on ledger.com or have signed up to receive our newsletters.
So, it would seem that Ledger did not have enough oversight on how their partners were setting up/connecting to their systems to retrieve customer data... and Iterable fucked up when configuring their API access. No doubt, the only winners in all of this will be lawyers while they argue about who is actually at fault while charging $$$/hr... and the scammers who manage to trap the unwary with their phishing emails/txts/phone calls...
|
|
|
|
Rabi3
|
|
December 23, 2020, 08:21:38 PM |
|
that's some crazy news, all of them received emails saying that they're being watched and they should be scared for their lives, but it's just nonsense, i don't think people would go to someone's house to do god knows what, just for an unknown amount of money, people need to ignore those threats, it's better than responding with something that may trigger them.
|
|
|
|
xxjumperxx
Sr. Member
Offline
Activity: 574
Merit: 272
Buy Bitcoin!
|
|
December 23, 2020, 09:25:08 PM |
|
that's some crazy news, all of them received emails saying that they're being watched and they should be scared for their lives, but it's just nonsense, i don't think people would go to someone's house to do god knows what, just for an unknown amount of money, people need to ignore those threats, it's better than responding with something that may trigger them.
Its easy to say as an outsider... Just imagine you own a house, live their with your wife and kids and you receive threats that go against you and your family... Please tell me again, to just ignore them threats and move along with life like nothing is going on. Easy to say...
|
|
|
|
idrisalomagold
|
|
December 23, 2020, 11:19:07 PM |
|
that's some crazy news, all of them received emails saying that they're being watched and they should be scared for their lives, but it's just nonsense, i don't think people would go to someone's house to do god knows what, just for an unknown amount of money, people need to ignore those threats, it's better than responding with something that may trigger them.
Most holders of bitcoin in the Ledger have huge unknown number of btc in their wallets. So, obviously this threat should be takin care seriously. Not just making outright conclusion that this people exposing personal information of Ledger holders couldn't make the worst thing. Think again, everything can be done for money.
|
|
|
|
PrimeNumber7
Copper Member
Legendary
Offline
Activity: 1666
Merit: 1901
Amazon Prime Member #7
|
|
December 23, 2020, 11:53:34 PM |
|
Look, I'm not trying to crucify anyone here, but if I buy something online and give my delivery address, I definitely don't expect the data to become accessible to the entire world through some publicly available API. That is a very reasonable expectation, and I expect the same. My point is that if your information is leaked via the Ledger database hack, it will not be the end of the world. I don't think many people want to harm a person solely because they have a lot of money.
Are you serious? So it's perfectly normal for you to walk through a tough neighborhood at night with money sticking out of your pockets? Walking through a tough neighborhood with money sticking out of your pockets would probably result in you getting robbed. They didn't leak data via a "publicly available API"... it was supposedly "a misconfigured, third-party API key" that allowed unauthorised access. How did this happen?
An attacker gained access to a portion of our e-commerce and marketing database through a third party’s API key, which allowed unauthorized access to our customers’ contact details and order data. .... Since when does this issue exist?
The third party API key misconfiguration at issue has been running since August 9th, 2018. Based on the evidence and log we have, we believe it was discovered and exploited from April 2020 to June 28th, 2020.
It's not like they just left the data sitting out in the open for anyone to access... Unfortunately, that doesn't change the fact that a lot of private data was stolen and has now been placed in the public domain Really sucks for the 272,000 who have been affected by this... I don't see Ledger's reputation recovering for a long, long while. It sounds like they were using a 3rd party service to help them with sending marketing emails, and they gave the 3rd party service access to the database via an API key. This could have been that the API key was somehow leaked, or it could mean the 3rd party service had something misconfigured on their end that allowed their service to leak information it had access to.
|
|
|
|
Kemarit
Legendary
Offline
Activity: 3262
Merit: 1386
|
|
December 24, 2020, 02:59:55 AM |
|
they shouldn't have allowed customer data to be made accessible through any API, either in-house or third-party. Not defending Ledger, but every business that asks for your information flows through an API. I'm a software engineer, an API to serve customer data is industry standard. But the industry standard is to secure your API. Ledger probably had poor security hygiene practices internally, which led to this. If that is the case then they shouldn't be in this business in the first place if they supposedly promoting a wallet that is secure and yet in their own backyard, they have poor security hygiene. This really stick out in the last couple of months and then the scammers released all the data to the public. Yes, it will not be end the world, you can change your email, but are we seriously going to patronize their product?
|
|
|
|
Krislaw
|
|
December 24, 2020, 08:44:34 AM |
|
That's a lot of data leaked from Ledger server. Users are going to receive lot of spam emails like newsletters, phishing mails and lot more. What's best for them to do is to change their email address right away because their emails are going to be a target for hackers. Ledger should do good about securing people's data well in the future.
|
|
|
|
xxjumperxx
Sr. Member
Offline
Activity: 574
Merit: 272
Buy Bitcoin!
|
|
December 24, 2020, 10:32:44 AM |
|
That's a lot of data leaked from Ledger server. Users are going to receive lot of spam emails like newsletters, phishing mails and lot more. What's best for them to do is to change their email address right away because their emails are going to be a target for hackers. Ledger should do good about securing people's data well in the future.
I just dont like the way the situation was handled... The sentence, we cant go back in time, it happened. Oops. Lets think into the future. Like really, you leaked data, private data on an already sensitive field and you dont seem to care that people are being threatened and harrased by data that you leaked! It makes me mad how its all being handled!
|
|
|
|
DdmrDdmr
Legendary
Offline
Activity: 2492
Merit: 11049
There are lies, damned lies and statistics. MTwain
|
|
December 24, 2020, 11:07:33 AM Merited by vapourminer (1) |
|
<…>
I’d also consider severely changing the mobile phone number, in order to reduce the sim-swapping vector of attack. It’s not pretty to do, specially the more tied your phone is to services and verification processes, but it’s something to ponder heavily. In the process, I’d make sure the substitute phone number is completely new (and not some recycled number provided by the telephone network operator). You are probably going to need both numbers operative for a while to complete the process (verification sms do get sent to both numbers with some entities). Pain in the ass though, but a clean contact start every now and then is probably healthy.
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4361
<insert witty quote here>
|
It makes me mad how its all being handled!
So here is a question then... aside from being able to change history and/or inventing time travel to be able to prevent the leak from happening in the first place, what should Ledger have done differently after the leak was discovered? What should they be doing now that they aren't already? I suspect that there is (realistically) nothing they can do at this point that would make anyone happy... the data is out, you can't delete things from the internet.
|
|
|
|
erikoy
|
|
December 24, 2020, 10:09:57 PM |
|
272,000 ledger users. If you aren't to reply any possible links, downloads sent to your email then you can be safe. However, as the other reply ahead says that one home can be targeted by the criminals then yes it could be possibly happen. However, the chances are low due to the fact that there are 272,000 ledger users and you have 0.0000037 % chance that cybercriminal will go to your house and rob. So, don't get paranoid that bad things will going to happen. It will only stressed you out and that is not good for your health.
|
|
|
|
decodx
|
|
December 24, 2020, 10:44:32 PM |
|
... you have 0.0000037 % chance that cybercriminal will go to your house and rob
How the hell did you come up with that number? And by the way, they are not cybercriminals if they come to your home to rob you.
|
|
|
|
|