Following the hackers’ massive dump of customers’ personal information stolen from France-based major hardware wallet manufacturer Ledger, the Cryptoverse has been hard at work providing ways for users to check if they’ve been included in the breach, as well as suggestions on what to do next. They also shared advice to all crypto-buyers on how to potentially make safer crypto purchases. (Updated at 16:14 UTC: updates in bold.)
As is well known by now, a database reportedly containing more than a million email addresses of Ledger users and more than 270,000 physical addresses and phone numbers, was dumped on Raidforums, a website for sharing hacked databases. “We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020,” said Ledger.
As Ledger stated earlier, this leak doesn’t contain passwords, recovery phrases, or payment information (customers’ phrases are not stored in the first place) – which further underlines the warning not to share the 24-word recovery phrase with absolutely anybody, even if they say they are Ledger.
“Since we discovered the data breach in June 2020, we worked with an external security organization to conduct a forensic review. The review confirmed that only 9,500 individuals were impacted, all of whom were personally contacted by Ledger Support. Since the phishing attacks started to occur, we anticipated more information could have leaked and continued to notify all users via Twitter and email,” a Ledger spokesperson told Our.
Later, in an email to its clients, the company confirmed that:
“The database publicly released yesterday shows that a larger subset of detailed information has been leaked, approximately 272,000 detailed information such as postal address, last name, first name and telephone number of our customers. These details are not available in the logs that we were able to analyze.”
“If you are part of the detailed personal information subset, you will receive a specific email notifying you within the next 24 hours (check your spam box),” they said, adding that they have taken down more than 170 phishing websites since the original breach.
Also, they have set up a webpage sharing the anatomy of phishing attacks so users can avoid falling for them and report any new attacks: https://www.ledger.com/phishing-campaigns-status.
There are some ways you can check if your information was leaked. Cybersecurity site haveibeenpwned.com, recommended by Ledger itself, said it had already listed 69% of the addresses since the original leak, and many commenters, such as Casa‘s Chief Technology Officer Jameson Lopp and Ethereum (ETH) core developer Hudson Jameson recommended checking if you’re a part of the database leak there.
I’ve seen one swapped out with PDF files – those are just as dangerous as *.exe files, as malicious scripts can be… https://t.co/ei67yr6I2e
— Fiona Kobayashi (@fifikobayashi)
“If your data was compromised, make sure you are not using your number for 2FA [two-factor authentication] anywhere. Change to a VoIP [Voice over IP] number, or GA,” advised economist and trader Alex Krüger. Popular crypto trader ‘notsofast’ also suggested using a new phone number and email address, as well as keeping hard copies in a different safe place instead of one’s home (attorney or safety deposit box if you can afford it), and perhaps keeping the old number on an old device and “log any non-whitelisted texts/calls/phishes to that number, as a record in case harassment/abuse escalates (THANKS Ledger ).”
Furthermore, people are warning affected users to take steps to protect themselves against SIM swaps. Others too are arguing for using PO boxes, pseudonyms, burner numbers, and anonymous email accounts for crypto-related purchases in general.
Possible escalation of abuse
‘Notsofast’ is far from the only one who believes that the abuse will escalate. The harassment has been on for months already. As reported, scammers have been posing as Ledger via emails and texts in an attempt to trick users into giving them their seed phrases, and occasionally they appear to have succeeded, draining victims’ wallets. The leak’s effect seems to have “spread” to Trezor users as well, as they’ve been a target recently too. Some are saying that they’ve been getting these scam messages every couple of days.
And there are those who think that the abuse may go offline as well. “Is there an option that ledgerhack doesn’t end in torture, robbery, blackmailing or murder?,” asked Bitcoin blogger Christoph Bergmann. Network security firm Hudson Rock‘s Chief Technology Officer Alon Gal tweeted that the leak and the subsequent dump pose a “major risk” to those affected, arguing that those who bought Ledger often hold a lot of crypto in it, “and will now be subject to both cyber harassments as well as physical harassments in a larger scale than experienced before.”
The $5 wrench attack. Hear it’s very effective. pic.twitter.com/5BcN4idgsr
— Alex Krüger (@krugermacro) December 21, 2020
Many commenters are furious, both about the leak and Ledger’s response at the time and now. “Imo this Ledger leak is unforgivable,” said popular crypto researcher Hasu. You simply can’t sell hardware wallets and store the personal information of your customers on an online server.” As there seems to be no end to the problems caused by the original leak, there also seem to be increasingly more and louder voices online calling for a lawsuit against the wallet maker.
On Ledger’s part, they said in their Twitter thread that they had alerted the authorities and the users of the breach, hired a new Chief Information Security Officer and executed penetration tests and forensic analysis with external security firms, among other steps made since July. We asked Ledger for comment.
Please change your plans, do blockchains right.
“The only way to secure data is not to collect and store it in the first place; no one is able to secure large amounts of data.” @aantonop https://t.co/0QuLhcUs5T
— Gregory Luneau (@LuneauGregory) December 21, 2020
@mrjasonchoi When you go on holiday, send it to the hotel 😉
— Jonny (@Jonny_Qi)
I can’t see how that scenario would play out though. That database has no info about how big one’s bags are. If you’re a known whale, bad actors prob. already know enough about you to rob you.
If someone tries to jack my Ledger they will be sorely disappointed with the haul
— TheFockinFury (@TheFockinFury) December 21, 2020