Ledger, the hardware wallet company, has seen a massive data leak earlier today. The data itself consisted of a million email addresses and, more worryingly, 270,000 phone numbers, and physical addresses. All of this information had been published on Raidforms, a hacker website.
ALERT: Threat actor just dumped @Ledger‘s database which have been circling around for the past few months.
The database contains information such as Emails, Physical Addresses, Phone numbers and more information on 272,000 Ledger buyers and Emails of 1,000,000 additional users. pic.twitter.com/Sv9cQwhuNy
— Alon Gal (Under the Breach) (@UnderTheBreach) December 20, 2020
Ledger Getting A Rude Awakening
As the reports show, it seems that the hacking of the e-commerce database of Ledger, having occurred back in June of this year, is where the data in question comes from.
However, this is where things get interesting. Ledger did acknowledge the database breach back in June, sure, but claimed that only 9,500 postal addresses, phone number, and product purchase details were compromised during said hack. As this data leak shows, however, it seems those claims had significantly downplayed the scope of compromised data.
Many Concerns Over Data Breach
As it stands now, the company gave a statement that runs along the expected lines of extreme regret about the situation at large. The company highlighted its emphasis on privacy, hence why this is such a grave issue.
Today we were alerted to the dump of the contents of a Ledger customer database on Raidforum. We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020.
— Ledger (@Ledger) December 20, 2020
As the reports go, Ledger is currently working alongside law enforcement agencies to try and prosecute the hackers. In the original data breach, an excess of 170 phishing sites was taken down in its campaign.
At that time, no financial information was leaked, but users had understandable concerns regarding the leaked data benign available to the public. Their fears are that something more than just phishing attacks could happen.
One user explained that Ledger users tend to, more often than not, hold high amounts of crypto to their name. As such, these individuals are now liable to physical and cyber harassments, on a scale of which they haven’t seen before the data breach.
Some Unhappy Customers
As one would imagine, a few users took grave exception in the face of the data breach. Some deemed it outright unforgivable, and urged users to cut business with them entirely. The reasoning behind this is to make an example out of Ledger: Leave it to die and let all the other companies know how seriously the people take their security.
While some are crying for the indirect death of the company, others are trying to take a direct approach: threatening lawsuits against the company as a response to the leak.
This entire debacle shows the downsides of storing all the information to a single server, one that is susceptible to hacks, even if the company wasn’t aware of it. To add fuel to the fire, some speculate that the new Treasury Rule changes that will be forced on, mandating further AML/KYC measures, will only compound the amount of data successfully stolen through these kinds of breaches.