A database containing the personal information of Ledger customers has been published on RaidForum, a database sharing site for buying, selling and sharing hacked information. It is alleged the database was obtained from a hack on Ledger’s archives back in June 2020.
The database contains 1,075,382 email addresses and 272,853 hardware wallet orders, with the order information containing the full names, emails, physical addresses and phone numbers of Ledger customers. In July 2020, Ledger claimed that only 9,500 customers’ personal details were exposed during the hack. This leak, however, shows that the extent of the hack far greater than initially reported.
Leak is legit.
Over 1,000,000 email addresses
Over 250,000 physical addresses and phone numbershttps://t.co/hLoXv3BATk
— Jameson Lopp (@lopp) December 20, 2020
Ledger confirmed that “early signs” from their research indicated that the database exposed on RaidFourms is from the hack that occurred in June 2020:
Today we were alerted to the dump of the contents of a Ledger customer database on Raidforum. We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020.
— Ledger (@Ledger) December 20, 2020
Cybersecurity site haveibeenpwned.com, claimed that 69% of the addresses from the database were already listed on their site. Meaning that 69% of the addresses from the database were already listed as having been compromised before the database was published on RaidFourms.
New breach: Ledger had over 1M email addresses breached in June, sold, then dumped publicly today. Data also included names, physical addresses and phone numbers. 69% were already in @haveibeenpwned. Read more: https://t.co/F44bBWzioQ
— Have I Been Pwned (@haveibeenpwned) December 20, 2020
Ledger later said in a tweet: “It is a massive understatement to say we sincerely regret this situation. We take privacy extremely seriously. Avoiding situations like this are a top priority for our entire company, and we have learned valuable lessons from this situation which will make Ledger even more secure”.
Many Twitter users expressed their anger regarding the leak, with several raising concerns over their safety now that their personal information has been exposed, especially their physical addresses: “What’s stopping them from knocking on our doors?” – said one Twitter user.
Ledger warned customers of a potential new wave of phishing attempts now that the data has been made public, urging customers to never share their 24 word recovery phrase:
“MOST IMPORTANTLY: Never share the 24 words of your recovery phrase with anyone, even if they are pretending to be a representative of Ledger. Ledger will never ask you for them. Ledger will never contact you via text messages or phone call.”