Data dump exposes Ledger users to fraud

French crypto wallet manufacturer Ledger is under fire after sensitive information of 272,000 customers leaked to a hacker forum overnight.

Keep sharp. Names, phone numbers, and physical mailing addresses of Ledger users were found uploaded to RaidForums, which operates as a marketplace for stolen databases.

An additional one million email addresses were also posted online. Sadly, Ledger users are now warned they could soon be targets of fraud and other social engineering attacks. 

Old hack, new leak? Crypto wallet owners are considered high-value targets by cybercrims, with some reports claiming the stolen data sold for around $60,000 before it was shared for free.

Today we were alerted to the dump of the contents of a Ledger customer database on Raidforum. We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020.

— Ledger (@Ledger) December 20, 2020

Ledger first disclosed an attack of this kind back in June, but at the time said just 9,500 customers had been affected.

Phishing for whales. Spear-phishers have been targeting Ledger users since around the time of the company’s first disclosure.

Mostly, fraudsters bait targets into clicking on malicious links shared by SMS or email — the idea being that anyone with a cold wallet simply must be loaded with digital cash ripe for the taking.

What can you do? Not much. If you’ve bought one of Ledger’s devices, we suggest extra caution when opening anything resembling correspondence from Ledger.

Now more than ever, don’t click on suspicious links delivered via email or SMS. Changing your phone number and email address might also be a good idea, and never (ever) give up your seed phrase.

This leak holds major risk to the people affected by it!

Individuals who purchased a Ledger tend to have high net worth in cryptocurrencies and will now be subject to both cyber harassments as well as physical harassments in a larger scale than experienced before.

— Alon Gal (Under the Breach) (@UnderTheBreach) December 20, 2020

All that’s left is to reconsider how readily we share personal information with companies, whether they’re industry insiders like Ledger or otherwise.

For what it’s worth, Ledger says it’s totally sorry for the snafu, having hired a new chief security officer to restore faith — but the company is surely a long way from regaining the community’s trust, if it’s even possible.