Ledger is considered one of the biggest cryptocurrency hardware wallet companies in the world. However, despite its reputation as one of the most trustworthy companies, Ledger failed to protect the personal data of a large portion of its customers.
In July of 2020, Ledger informed the public that a security error on their side allowed hackers to access a database featuring personal information and contact details of their users. At that time, according to Ledger, hackers got access to the personal data of more than 9,500 of their customers. The breached database included the first and last names, home addresses, phone numbers, and email addresses of Ledger hardware wallet buyers.
Fast forward to December 2020, and it turns out that the data breach is far greater than what the company revealed back in July. The hacked database consists of the personal user data of more than 270,000 customers. All that data got posted on RaidForums – an online market for sharing, buying, and selling hacked info. Furthermore, an additional 1 million email addresses got posted on the same forum that originated from the same hacker’s attack on Ledger.
Ledger got wind of the data breach on July 14th, in the middle of a bug bounty program. The company acted swiftly and patched its database right away. But it was too late.
Before the data breach, one of their marketing partners was given access to Ledger’s marketing and e-commerce databases through an API. Soon after Ledger learned about the breach, they discontinued the API.
In the meantime, Ledger issued a statement saying that the hack wasn’t a threat to the user’s fund
But even though no funds were at risk or lost due to the data breach, many phishing attempts followed.
Bleeping Computer found out earlier this month that many of Ledger’s customers received emails in which it was said that they need to reset their PIN because of some new Ledger Live software update. Even though the emails appeared as they came from Ledger, they came from cybercriminals and hackers looking for ways for Ledger users to reveal their secret passcodes and recovery phrases.
As of yesterday, Ledger started warning its customers of another scam in which hackers and cybercriminals are threatening to invade people’s homes if they don’t cough up a $500 ransom.