The company with the safest hardware bitcoin wallets in the world, Ledger, was hacked. As she stated in a relevant announcement, she was informed about his violation website on July 14, 2020, by a researcher who participated in the company's bug bounty program.
Shortly after learning of the attack, Ledger said she immediately recovered infringement, having received the researcher's report and after a thorough internal investigation. One week after the violation was rectified, the company of safe hardware Bitcoin wallets found that it had been breached again on 25 June 2020 by an unauthorized third party who had gained access to e-commerce and marketing database of. This database is used to send confirmations of orders and advertisements e-mail consisting mainly of email addresses, but also contact and order details such as first and last name, postal address, email address and telephone number. However, Ledger stressed to its customers that their payment details and encryption money are secure.
In addition, the company described the security incident in detail, wanting to explain to its customers exactly what happened. In particular, he reported that an unauthorized third party gained access to a portion of the e-commerce and marketing database through an API key. He also informed that the API key has been disabled and is no longer accessible.
What information is included in the database that was leaked during the attack?
The database contains the contact and order details of the company's customers. These include about one million customer email addresses. Ledger added that the breach exposed the personal information of about 9500 of its customers, such as first and last name, postal address, telephone number or ordered products. The wide scope of the breach was precisely the reason why the company decided to immediately inform its customers about the incident.
As for e-commerce date, no payment details were included, either credentials in violation. Therefore, it only affects customer contact information. This breach of data has no bearing on the hardware wallets or the security of Ledger Live and the encrypted customer data, which is secure and has never been compromised.
What has the company done so far and what else does it intend to do?
- As the breach was limited to e-commerce and marketing communications, the company immediately corrected the problem, taking the time to conduct a thorough internal investigation with security experts and then alerting its community to the incident.
- On July 17, he informed the CNIL and the French Data Protection Authority, which ensures that the law on data privacy applies to the collection, storage and use of personal data.
- On July 21, it partnered with Orange Cyberdefense to assess the damage that may have been caused by the breach and to detect any data leaks.
- In addition, after a thorough investigation by the company's security team and Orange Cyberdefense, it concluded that the e-commerce and marketing database had been breached. By the time of publication, all affected customers have already received an update email.
- The company also said it was actively monitoring whether database data that was compromised during the attack were being sold to Internet, without having detected anything so far.
- It also expands the scope of its security and organization program in e-commerce, focusing initially on its products (HW & Vault). At the same time, it is taking steps to meet the requirements set out in ISO 27001, and has lodged a formal complaint with the authorities to further investigate the situation.
- In addition, to enhance the privacy of its customers, Ledger Live, the accompanying application for Nano, which does not retain any information about the company's customers, will become the main point of contact for information on new product developments as well. and Ledger social media accounts (Facebook and LinkedIn, Twitter).
Finally, Ledger advises its customers to be very careful in case of any Phishing attacks. For example, the company will never ask its customers for the 24 words of the retrieval phrase. Therefore, if they receive an email that appears to be from Ledger and asks for 24 words, it will be a phishing attempt.