We could be wrong thinking there were 2 different leeks. Both Ledger and Shopify mention that data was stolen using an API key.
I think this is the timeline of the entire incident:
1. April - June: Members of Shopify support team steal data of over 200 merchants.
2. July 14: Someone informs Ledger Donjon security team that they have suffered a breach.
3. Ledger claims they "
immediately fixed the data breach". I am not sure what this means and what was fixed.
4. After that, they conducted an investigation and discovered that the breach happened through an API key.
5. July 29: Ledger informs the community of the breach and sends a report to law enforcement.
6. September: Shopify
releases a statement that mentions that data of over 200 merchants were stolen.
7. December: Spotify informs Ledger that among the records that were stolen by their employees, there were also private records of Ledger users.
If this is the correct timeline, how did the person who informed Ledger in the bug bounty know about the breach? I remember reading that no data was public at that time (again allegedly). Did the person inspect the faulty API key?
Ledger says:
We immediately fixed the data breach and launched internal investigations. We discovered a malicious attacker had gained unauthorized access to our e-commerce and marketing database via a third party’s API key.
https://www.ledger.com/blog/update-efforts-to-protect-your-data-and-prosecute-the-scammersThese sentences make it sound like Ledger fixed the breach first, then they launched an investigation. It was during the investigation that they discovered the API key. Again, how did they fix the breach before the investigation if the investigation lead to the discovery of the API key?