Bitcoin Forum
November 02, 2024, 07:10:39 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: One more Ledger leak?  (Read 355 times)
dkbit98 (OP)
Legendary
*
Offline Offline

Activity: 2408
Merit: 7547



View Profile WWW
January 13, 2021, 03:14:20 PM
 #1

New day and new email from ledger.

I am not sure if this is some new leak, but what more can we expect from flea market company like ledger...
This time it was 'rogue' Shopify customer support agents that stole customers name and surname, details of ordered products, phone number and postal address.

What is very concerning is the part when they say they will remove 24 words with some 'technical solution'.

Quote
Ledger Security Notice
Security Notice Dear client,

On December 23, 2020, Shopify, our e-commerce service provider, informed Ledger of an incident involving merchant data. Rogue agent(s) of their customer support team obtained Ledger customer transactional records in April and June 2020. This is related to the incident reported by Shopify in September 2020, which concerns more than 200 merchants, but until December 21, 2020, Shopify had not identified this affected Ledger as well.

We were able to examine the stolen data together with a third party forensic firm to identify the impacted customers.

We regret to inform you that you are part of the customers whose detailed personal information was stolen by Shopify rogue agent(s). Specifically, your name and surname, detail of product(s) ordered, phone number and your postal address were exposed.

We notified the French Data Protection Authority on December 26, 2020. We are continuing to work with Shopify and law enforcement on the case; an investigation is already underway, led by the FBI and the RCMP. Ledger also reported the events to the French Public Prosecutor and filed a complaint against the rogue agent(s).

Thefts and attacks such as this cannot go uninvestigated or unprosecuted. We continue to work with law enforcement as well as private investigators on these cases, and we are adding more firepower by hiring additional private investigation capacity, adding experience and approaches to finding those responsible for these data thefts.

FINALLY, keeping you secure is our reason for existing. We will soon release a technical solution that will remove the 24 words as the single pillar of the security of our hardware wallets and will open the door to funds insurance.

If you would like more detail on the many steps we are taking to prevent such incidents in the future, please read this blog post.

Sincerely, Pascal Gauthier Ledger CEO
https://www.reddit.com/r/ledgerwallet/comments/kwhyky/ledger_security_notice/


Update from ledger:
https://www.ledger.com/blog/update-efforts-to-protect-your-data-and-prosecute-the-scammers




█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18726


View Profile
January 13, 2021, 04:19:43 PM
 #2

Does it even matter if your details have been leaked when Ledger have already leaked them? (/s)

It looks like this was an expansion of the Shopify leak that was initially revealed back in July last year, just like their own leak which turned from "9,500" users to over a quarter of a million. At this point, if you have ever bought anything from Ledger.com, you might as well consider your details compromised and take appropriate action. It's the only way to be sure of your safety, since Ledger's security apparently has more holes in it than Swiss cheese.

I'm very curious as to see what this "technical solution" is going to be. Sounds like they are adding some sort of 2FA, but if they are promising insurance then the only way they can do that is if they have some control over your funds as well. I'm also very curious as to how many users are going to trust Ledger to have some control over their funds when they have repeatedly proven themselves incapable of even keeping a simple database secure.
The Sceptical Chymist
Legendary
*
Offline Offline

Activity: 3514
Merit: 6984


Top Crypto Casino


View Profile
January 13, 2021, 04:23:32 PM
 #3

I'm also very curious as to how many users are going to trust Ledger to have some control over their funds when they have repeatedly proven themselves incapable of even keeping a simple database secure.
And I'm going to ask a simple question here, because I haven't read all the posts in the few threads about the Ledger leak:  is it safe to keep using my Nano X to store crypto on?  Right now I've got some altcoins on it that otherwise don't have a home.  I'd appreciate it if someone a lot smarter than me could advise me on that single question.

Thanks in advance.

Edit:
Ledger should not store any information about the individual wallets that would otherwise compromise your security. Hardware wallets should not record these kinds of information anyways.
I get that, which is why I like hardware wallets, but there seemed to be a vibe of doubt that Ledger perhaps wasn't storing data like private keys and such.  Is that an actual concern for anyone or am I just being paranoid?

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
suchmoon
Legendary
*
Offline Offline

Activity: 3836
Merit: 9059


https://bpip.org


View Profile WWW
January 13, 2021, 04:28:59 PM
Merited by dbshck (1)
 #4

SPF: FAIL with IP 2600:1901:101:0:0:0:0:11
DKIM: 'FAIL' with domain ledger.com

For all we know this e-mail is as fake as all the other "Ledger" e-mails but on the other hand it makes zero difference to how much fucked we are. Dear client LOL
ranochigo
Legendary
*
Offline Offline

Activity: 3038
Merit: 4420


Crypto Swap Exchange


View Profile
January 13, 2021, 04:30:23 PM
Merited by The Sceptical Chymist (2)
 #5

And I'm going to ask a simple question here, because I haven't read all the posts in the few threads about the Ledger leak:  is it safe to keep using my Nano X to store crypto on?  Right now I've got some altcoins on it that otherwise don't have a home.  I'd appreciate it if someone a lot smarter than me could advise me on that single question.

Thanks in advance.
The leaks doesn't affect the security of your Ledger. Ledger should not store any information about the individual wallets that would otherwise compromise your security. Hardware wallets should not record these kinds of information anyways. The leak in question specifically impacted the privacy of the customers through the reveal of personal information.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
suchmoon
Legendary
*
Offline Offline

Activity: 3836
Merit: 9059


https://bpip.org


View Profile WWW
January 13, 2021, 04:40:11 PM
 #6

I get that, which is why I like hardware wallets, but there seemed to be a vibe of doubt that Ledger perhaps wasn't storing data like private keys and such.  Is that an actual concern for anyone or am I just being paranoid?

No one really knows at this point. Considering how many times they lied (or if you want to be generous - displayed abject incompetence) about the hack I wouldn't put it past them to have some sort of feature or bug in their software that sends more information to their servers than it should.

Having said that, this would be extremely unlikely to happen with the private keys or the seed as those bits never leave the device. Well, in theory anyway.
o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18726


View Profile
January 13, 2021, 04:47:41 PM
 #7

is it safe to keep using my Nano X to store crypto on?
As above, it almost certainly perfectly safe.

If this was bitcoin only and you wanted to be really paranoid, you could create your own entropy using coin flips, convert it to a seed phrase, wipe your hardware device, set it up as a new device using an airgapped computer, recover from your manually created seed phrase, use an open source tool to confirm the addresses generated are indeed derived from your manually created seed phrase, and send your bitcoin to your now airgapped hardware wallet. However, I have no idea if this is even possible with most altcoins since they don't have their own standalone wallet, or if Ledger Live would even support moving unsigned/signed transactions back and forth between devices.

For all we know this e-mail is as fake as all the other "Ledger" e-mails but on the other hand it makes zero difference to how much fucked we are.
Seems to have been confirmed by Ledger co-founder in this Reddit post: https://www.reddit.com/r/ledgerwallet/comments/kwhyky/ledger_security_notice/gj4dcal/
dkbit98 (OP)
Legendary
*
Offline Offline

Activity: 2408
Merit: 7547



View Profile WWW
January 14, 2021, 01:02:19 PM
 #8

The leaks doesn't affect the security of your Ledger. Ledger should not store any information about the individual wallets that would otherwise compromise your security. Hardware wallets should not record these kinds of information anyways. The leak in question specifically impacted the privacy of the customers through the reveal of personal information.
It does affect security of you and your ledger because scammers know all your information, name, address and phone number, and ledger should be blamed for poor security.
I don't know how else to say than - affected security.
Same thing could potentially happen with their 'secure element' leak or something else, because they hired bunch of amateurs and shitty partners.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
ranochigo
Legendary
*
Offline Offline

Activity: 3038
Merit: 4420


Crypto Swap Exchange


View Profile
January 14, 2021, 01:17:55 PM
 #9

It does affect security of you and your ledger because scammers know all your information, name, address and phone number, and ledger should be blamed for poor security.
I don't know how else to say than - affected security.
Same thing could potentially happen with their 'secure element' leak or something else, because they hired bunch of amateurs and shitty partners.
The leak affected the privacy of their user. It does not directly affect the security of their devices. The post I replied to was to ask if it's secure to continue storing the funds within Ledger.

I won't discuss how they operate as a company because that wouldn't be related to their data leak. Objectively speaking, yes. The loss of privacy could to some extent lead to them being more vulnerable to spear phishing, targeted attack and stuff like that. But how would it affect the security of their devices? Can you obtain the private keys and/or the seeds from the devices with that information alone? If you could, that would be in conjunction with some forms of social engineering attack and/or $5 wrench attack (though I heavily dispute that but I don't live in the same region as most of these users).

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
dkbit98 (OP)
Legendary
*
Offline Offline

Activity: 2408
Merit: 7547



View Profile WWW
January 14, 2021, 01:25:47 PM
 #10

But how would it affect the security of their devices?

All you need is to know exact location and place where owner of that device is living to affect security of their device.

And as I said before, who can guarantee that closed source secure element holding that private keys would not leak some data, when we know what ledger amateurs are dealing with all this.

And what exactly does it mean when they say they will remove 24 words with some 'technical solution'?



█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
NeuroticFish
Legendary
*
Offline Offline

Activity: 3850
Merit: 6583


Looking for campaign manager? Contact icopress!


View Profile
January 14, 2021, 01:31:44 PM
 #11

New day and new email from ledger.

I think that all the e-mails from Ledger, legit or not, are going to my spam folder.
This approach allows me have less concerns about that issue.
Since I use that mail address for many other things I cannot discontinue it, but marking all this crap as spam was the least I can do.

I wouldn't care to read their legit mails either, so it's not a big loss...


And what exactly does it mean when they say they will remove 24 words with some 'technical solution'?

It's "remove the 24 words as the single pillar of the security". But I don't know what they really mean, maybe add custom words, maybe encrypt, ... my guess that they'll all more "pillars"  Grin
However, was this mail actually legit or not?!

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
Pmalek
Legendary
*
Offline Offline

Activity: 2940
Merit: 7536


Playgram - The Telegram Casino


View Profile
January 14, 2021, 05:28:11 PM
 #12

The Shopify leak involved 200 different merchants. It seems that only Ledger was affected from the crypto niche. There is no public list of other businesses. 

I am beginning to doubt that financial information, aka credit card/banking info is still safe. Hopefully this leak wont spill over to people getting charged on their credit cards or having their PayPal accounts emptied. For now that doesn't seem to be the case.

However, there are stories like these in connection to the Shopify leak:

Quote
Hello,

I just received and email from Thrive cosmetics about the data breach and it makes sense now I know how my card number was stolen and used to charge up almost $5000 on it a few days ago! People keep an eye on your banking information it happens fast I am thankful to have a good bank who caught it early.
https://community.shopify.com/c/Shopify-Discussion/Incident-Update/td-p/888971/page/2

Quote
I just had 2 cancel my credit card. I was one of those customers. Received an email from the online store and had 2 fraudulent charges on my credit card.

I am really concern about identity theft. Who should I contact about that?
https://community.shopify.com/c/Shopify-Discussion/Incident-Update/td-p/888971/page/3

Although there are claims of credit cards being charged, Shopify replied that making charges with cards isn't possible:

Quote
The Orders API does not have the capability to perform credit card charges.
https://community.shopify.com/c/Shopify-Discussion/Incident-Update/td-p/888971/page/4

▄▄███████▄▄███████
▄███████████████▄▄▄▄▄
▄████████████████████▀░
▄█████████████████████▄░
▄█████████▀▀████████████▄
██████████████▀▀█████████
████████████████████████
██████████████▄▄█████████
▀█████████▄▄████████████▀
▀█████████████████████▀░
▀████████████████████▄░
▀███████████████▀▀▀▀▀
▀▀███████▀▀███████

▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
 
Playgram.io
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

▄▄▄░░
▀▄







▄▀
▀▀▀░░
▄▄▄███████▄▄▄
▄▄███████████████▄▄
▄███████████████████▄
▄██████████████▀▀█████▄
▄██████████▀▀█████▐████▄
██████▀▀████▄▄▀▀█████████
████▄▄███▄██▀█████▐██████
█████████▀██████████████
▀███████▌▐██████▐██████▀
▀███████▄▄███▄████████▀
▀███████████████████▀
▀▀███████████████▀▀
▀▀▀███████▀▀▀
██████▄▄███████▄▄████████
███▄███████████████▄░░▀█▀
███████████░█████████░░
░█████▀██▄▄░▄▄██▀█████░
█████▄░▄███▄███▄░▄█████
███████████████████████
███████████████████████
██░▄▄▄░██░▄▄▄░██░▄▄▄░██
██░░░░██░░░░██░░░░████
██░░░░██░░░░██░░░░████
██▄▄▄▄▄██▄▄▄▄▄██▄▄▄▄▄████
███████████████████████
███████████████████████
 
PLAY NOW

on Telegram
[/
HCP
Legendary
*
Offline Offline

Activity: 2086
Merit: 4361

<insert witty quote here>


View Profile
January 16, 2021, 02:53:02 AM
 #13

And what exactly does it mean when they say they will remove 24 words with some 'technical solution'?
They're not removing the 24 words... they're removing the 24 words as the "the single pillar of the security of our hardware wallets".

Essentially, it sounds like they're trying to (or have already) come up with some fancy way of protecting your wallet (and/or backups/seeds) that doesn't just rely on a user writing down 24 words etc. It's difficult to say what they're thinking... possibly something similar to the "blind oracle" thing that Blockstream are using for their "Jade" wallet that requires some form of external confirmation? Huh

Also, quite what they mean by "and will open the door to funds insurance for individual customers" is anyone's guess. Sounds like a way to generate ongoing revenue by "selling" insurance to users Roll Eyes

Based on the quality of Ledger Live... I'm not going to hold my breath that their "technical solution" is actually a solution to any problem that I currently have... or that it even works. Roll Eyes

█████████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████
█████████████████████████
.
BC.GAME
▄▄░░░▄▀▀▄████████
▄▄▄
██████████████
█████░░▄▄▄▄████████
▄▄▄▄▄▄▄▄▄██▄██████▄▄▄▄████
▄███▄█▄▄██████████▄████▄████
███████████████████████████▀███
▀████▄██▄██▄░░░░▄████████████
▀▀▀█████▄▄▄███████████▀██
███████████████████▀██
███████████████████▄██
▄███████████████████▄██
█████████████████████▀██
██████████████████████▄
.
..CASINO....SPORTS....RACING..
█░░░░░░█░░░░░░█
▀███▀░░▀███▀░░▀███▀
▀░▀░░░░▀░▀░░░░▀░▀
░░░░░░░░░░░░
▀██████████
░░░░░███░░░░
░░█░░░███▄█░░░
░░██▌░░███░▀░░██▌
░█░██░░███░░░█░██
░█▀▀▀█▌░███░░█▀▀▀█▌
▄█▄░░░██▄███▄█▄░░▄██▄
▄███▄
░░░░▀██▄▀


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18726


View Profile
January 16, 2021, 08:55:37 AM
 #14

but now theft also knows the type of Ledger you own and how much you own
You mean how many Ledger devices you own, right? Not how much crypto you own. There is no a way a thief could ascertain the latter simply from a retail database hack.

And as I said before, who can guarantee that closed source secure element holding that private keys would not leak some data, when we know what ledger amateurs are dealing with all this.
True, but we cannot guarantee that any piece of software or hardware is completely secure. Even something like Bitcoin Core, which has thousands of sets of eyes looking at it constantly, occasionally throws up some critical vulnerability which needs rapidly patched.

I'm not going to hold my breath that their "technical solution" is actually a solution to any problem that I currently have... or that it even works. Roll Eyes
Agreed. I suspect that the majority of users will fall in to one of two groups with any such proposed solution:
1) Know what they are doing and therefore have no requirement to use whatever 2FA or additional protection this system will provide
2) Use this new system without really understanding it, and then flood this forum and Reddit with complaints when they are unable to recover their coins because they have lost their 2FA or whatever it is

Far better to just teach people how to properly use the industry standard than to confuse things by adding in your own unnecessary system on top.
o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18726


View Profile
January 16, 2021, 09:39:49 AM
 #15

I only can expect 2FA or 13rd/25th words, since it's not difficult to implement to existing HW wallet.
A 13th/25th word doesn't make sense though, since Ledger devices already support passphrases. Just navigate to Settings -> Security -> Passphrase, and you can either set a temporary one which will be forgotten as soon as you unplug your Ledger, or you can set a permanently one and attached it to a second PIN. Details here: https://support.ledger.com/hc/en-us/articles/115005214529-Advanced-passphrase-security

I'm expecting either a "traditional" 2FA (which you can achieve with a Ledger device already by using Electrum if you are so inclined), or some other form of multi-sig set up where they hold one of your keys. The problem with any multi-sig set up is that it involves placing trust in Ledger to both store your key(s) securely and never have their servers go down or go out of business.
dkbit98 (OP)
Legendary
*
Offline Offline

Activity: 2408
Merit: 7547



View Profile WWW
January 16, 2021, 11:04:50 AM
 #16

I really doubt ledger will create any good solution after all this mess and they will probably just add one more confusion layer on top, but lets wait and see, I enjoy to watch all this circus 🤡

Thanks to the recent leak, people are now starting to receive more and more voice call threats or unknown people are offering their "security services" to help them secure Ledger in well known mafia style, like we see with tech support scams.

Here is what Andreas Antonopoulos say about this issue, and he pointed out that simple changing of phone number can be a double-edged sword as scammers can still hijack and use your old number:
https://twitter.com/aantonop/status/1350062483692687362

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
NeuroticFish
Legendary
*
Offline Offline

Activity: 3850
Merit: 6583


Looking for campaign manager? Contact icopress!


View Profile
January 16, 2021, 11:13:06 AM
 #17

I really doubt ledger will create any good solution after all this mess and they will probably just add one more confusion layer on top

I agree with this. Somehow this is way beyond they could manage and they go from bad to worse.
I don't know what advisors they have, if any, but the decisions they make don't help. As you said, they just confuse their customers even more.
Even myself, I thought at first that this later mail is from malicious third party. But no, they seem to de doing this by themselves... So sad...

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
Coin-Keeper
Hero Member
*****
Offline Offline

Activity: 761
Merit: 606



View Profile
January 16, 2021, 09:01:03 PM
 #18

What a fiasco!  Confirms my HATE for closed source.  My .02

BTC: 1PYSBbuKM3kW19xe9TXJQfq64rPhd8XorF
Staked and Verified: https://bitcointalk.org/index.php?topic=996318.msg17102755#msg17102755
HCP
Legendary
*
Offline Offline

Activity: 2086
Merit: 4361

<insert witty quote here>


View Profile
January 16, 2021, 09:11:58 PM
 #19

What a fiasco!  Confirms my HATE for closed source.  My .02
How is this in any way related to open source/closed source? Huh

The initial hack occurred because of a misconfigured 3rd Party API key... and the Shopify leak was because of an "evil maid"... neither of those things would have been prevented by Ledger having open source products. Huh

█████████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████
█████████████████████████
.
BC.GAME
▄▄░░░▄▀▀▄████████
▄▄▄
██████████████
█████░░▄▄▄▄████████
▄▄▄▄▄▄▄▄▄██▄██████▄▄▄▄████
▄███▄█▄▄██████████▄████▄████
███████████████████████████▀███
▀████▄██▄██▄░░░░▄████████████
▀▀▀█████▄▄▄███████████▀██
███████████████████▀██
███████████████████▄██
▄███████████████████▄██
█████████████████████▀██
██████████████████████▄
.
..CASINO....SPORTS....RACING..
█░░░░░░█░░░░░░█
▀███▀░░▀███▀░░▀███▀
▀░▀░░░░▀░▀░░░░▀░▀
░░░░░░░░░░░░
▀██████████
░░░░░███░░░░
░░█░░░███▄█░░░
░░██▌░░███░▀░░██▌
░█░██░░███░░░█░██
░█▀▀▀█▌░███░░█▀▀▀█▌
▄█▄░░░██▄███▄█▄░░▄██▄
▄███▄
░░░░▀██▄▀


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
dkbit98 (OP)
Legendary
*
Offline Offline

Activity: 2408
Merit: 7547



View Profile WWW
January 25, 2021, 10:26:07 AM
 #20

Now they found that 750k emails from 1 million leaked emails from ledger, are also found in other breaches as reported on haveibeenpwned.com website!
They can all be matched with 730k real names, 625k phone numbers, 541k real addresses, 482k IP addresses, 20k wallet balances of BTCE, 10k passport numbers... and what is interesting for us is 10k Bitcointalk forum usernames and website activity.

I think one solution for avoiding something like this happening in future is using multiple email address with different aliases, especially when you are ordering anything from internet.

click to enlarge image:

https://twitter.com/yeolddoc/status/1353139243548364805

 


█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!