- Ledger has disclosed details of a huge data breach.
- The breach exposed 292,000 customers.
Parisian hardware wallet company Ledger has disclosed that personal details of a further 20,000 customers were exposed following a security breach of its databases, bringing the total affected to 292,000.
In a blog post today, Ledger also announced intentions to update its data privacy policies to minimize future harm and put out a bounty of 10 for anyone who can rumble the hacker.
The post disclosed the full extent and timeline of the data breach, which started as early as April 2020 and affected approximately 292,000 customers.
The breach, the company found out last month, was due to “rogue member(s)” of the support team of Shopify, the e-commerce company that handles Ledger’s sales.
Between April and June, 2020, those rogue agents used their API access to obtain transactional records of customers, including Ledger’s.
Ledger got wise to the breach when a researcher emailed it on July 14, 2020. It found that about one million email addresses were stolen, as well as about 10,000 records of personal information, which includes postal addresses, names and phone numbers.
But it wasn’t until December 2020 that Ledger understood more about the attack, which it discovered leaked information about 272,000 customers. Now, a month later, Shopify informed Ledger that details of a further 20,000 customers were leaked, bringing the total number to 292,000.
High Net Worth Individuals
Databases get leaked all the time, but particularly sensitive is the information about the addresses and contact details of people known to hold a lot of money.
Curious about the whereabouts of an obnoxious venture capitalist who tweets about their Bitcoin fortunes? Check the data dump.
Newly-minted decentralized finance projects that entrust just a few people to their funds in Ledger wallets? Yup, they’re in the dump.
Customers receiving phishing emails were concerned that they would become targets for things like home invasions.
Ledger CEO Pascal Gauthier told Decrypt last month: “Even though it’s a possibility and we don’t deny it’s a possibility, it’s not the highest possibility that this will happen. The database has been out since June and no-one has [ever] reported any attack of this sort.”
Next Steps For Ledger
Ledger said today that it is “deeply sorry that these incidents occurred and for any pain or stress they’ve caused our customers.”
Ledger said it is working with law enforcement and blockchain forensics firms to trace the hacker, and has created a bounty fund of 10 Bitcoins (roughly $350,000) “for information leading to successful arrest and prosecution.”
The company will also update its privacy policies. It aims to “completely delete” the personal data of customers and urge third-party providers to “to keep this data for as short a period of time as necessary.” Additionally, it will silo data it requires to keep for a long time.
“These attacks have only strengthened our resolve to build and release products that keep you and your crypto safe,” it said.