It used a change address with a weird derivation path, which would result in your coins being "lost" until you know which exact derivation path has been used. Afterwards the attacker would blackmail you with that information he has.
It was actually worse than that. If the attacker set the derivation path to
null, then the Ledger would accept any address as the change address, whether it was part of an account from that wallet or not. The attacker could send all the change from that transaction to himself.
But, as I said above, this has been long patched and the software versions that OP is using are not susceptible to this vulnerability.
