Popular crypto hardware wallet Ledger reported the leak of 1 million email addresses and 9,500 detailed personal information of its customers.
Our data show that 1M email addresses and 9500 detailed personal information leaked.
If you are concerned by the detailed personal information leak, you will receive a dedicated email today by 5pm CET. If your postal address or phone number is concerned, it will be specified. pic.twitter.com/cCjqgfUom3
— Ledger (@Ledger) July 29, 2020
Ledger’s competitor, Trezor, took this opportunity to advertise, “After 90 days, we get rid of all sensitive data about your order in our e-shop database (even e-mail addresses),” complete with promo code “DATAPRIVACY” to offer a discount on its products. But it’s limited to 9500 users.
The company came to know of the data breach on July 14th when a researcher participating in Ledger’s bounty program made them aware of it; Ledger shared in its official report. Ledger immediately fixed the breach and conducted an internal investigation.
Now, a week after patching the breach, the company discovered the vulnerability had been exploited on June 25th by an unauthorized third party. The entity accessed Ledger’s e-commerce and marketing database through an API key, which has now been deactivated and is no longer accessible.
The database access, which has been used to send order confirmations and promotional emails, including mostly email addresses along with contact and order details such as first and last name, postal address, email address, and phone number.
Approximately 1 million email addresses were affected, and a subset of 9500 customers was exposed for first and last name, postal address, phone number, or ordered products.
If you’re buying HW wallets to your home address you’re insane.
— Mr.Hodl🌕🍿 (@MrHodl) July 29, 2020
“Your payment information and crypto funds are safe,” as the data breach has no link and impact on hardware wallets, crypto assets, or Ledger Live security, ensuring the company.
The company has since then informed all of its customers about the situation, and those whose detailed personal information is exposed have been sent dedicated emails.
Ledger has also notified the CNIL, the French Data Protection Authority, which ensures that data privacy law is applied to the collection, storage, and use of personal data.
Last week, they partnered with Orange Cyberdefense to assess the situation and are actively monitoring the evidence of databases being sold on the internet.
The company is now extending the scope of its security and organizational program to e-commerce, which initially focused on Products (HW and Vault). Further steps are taken to meet the requirements listed in ISO 27001.