Cryptocurrency hardware wallet firm Ledger has revealed that its e-commerce database was hacked late last month, which led to over a million email addresses of customers being compromised.
Emails Compromised, No Funds Affected
Ledger, one of the leading digital currency hardware wallet manufacturers in the world, revealed on Wednesday that its e-commerce database was hacked towards the end of June. According to the French-based company, the hack resulted in a million email addresses being compromised. However, no user funds were affected by the hack.
In its blog post, the Bitcoin hardware wallet developer stated that contact and order details for customers were also exposed. Furthermore, Ledger added that their investigation led to them discovering that a subset of 9,500 customers also had their details exposed. Some of the details include their postal address, first and last name, and phone numbers. The breach targeted the company’s marketing and e-commerce database, and Ledger stated that it had patched the bug.
Ledger stated that “On July 14, 2020, a researcher participating in our bounty program made us aware of a potential data breach on the Ledger website. We immediately fixed this breach after receiving the researcher’s report and underwent an internal investigation.”
It was at this stage that Ledger was able to confirm that an unauthorized third party had hacked their data on June 25. The unauthorized third party had accessed their e-commerce and marketing database, used for sending order confirmations and promotional emails, using an API key. The accessed details were mostly email addresses but there was also a subset of data including contact and order details for customers such as their first and last name, postal address, email address, and phone number. Ledger, however, assured its customers that their cryptocurrency funds are safe on their wallets as the hacker did not breach past the contact and email details.
The French company added that the data breach does not have any link and that it had zero impact on their hardware wallets and Ledger Live Security. As such, their customer’s cryptocurrency assets are safe and were never in any danger. Ledger added that only customers have full control of their cryptocurrencies in their hardware wallets.
The company stated that they are regretful for the breach. Following the hack, Ledger filed a report with France’s Data Protection Authority, the CNIL, on July 17. They further partnered with Orange Cyberdefense a few days later to help them assess the potential damages of the hack and to pinpoint potential data breaches.
Ledger added that they are actively monitoring to find any evidence of the database being sold on the internet. To date, Ledger has not found any evidence of this. In addition, the company performed internal penetration testing, and they will also go ahead with the external penetration testing which was originally only planned for September.
Despite no signs of the details being sold on the internet, Ledger has warned its users to always be careful of phishing attempts by malicious hackers and scammers. They added that the company would never call customers to ask for their 24 word-recovery phrases. Based on this, Ledger customers should be careful with whom they share such information.
Ledger concluded that it would be filing a formal complaint with relevant authorities to investigate the situation thoroughly.