The leading cryptocurrency wallet Ledger discovers personal data breaches to over 1 million emails. All crypto funds remain safe and unaffected.
An official announcement from the leading cryptocurrency wallet Ledger has informed their global userbase of two separate breaches of personal data over the last 2 weeks which mostly compromised emails but also included some order details including names and home addresses.
The initial finding came to light after a researcher participating in Ledger’s ‘Bug Bounty Program’ – an open platform software created by the Ledger Security Team which encourages members of their community with the technical skills to find vulnerabilities and discrepancies in their network in exchange for Bitcoin reward. Many online companies offer a similar service to solve system issues before they arise.
A researcher participating in our bounty program made us aware of a potential data breach in our marketing database.
We immediately investigated and fixed it.
Your payment information and crypto funds are safe.
More details: https://t.co/dpnI2tdfmO
— Ledger (@Ledger) July 29, 2020
The researcher in this case reported the potential of an email hack which was after confirmed by Ledger, immediately prompted a full security investigation into their systems. On the 25th of July 2020, the team discovered a third-party intrusion using an API Key. They consequently noted in their announcement that “an unauthorized third party accessed our e-commerce and marketing database.”
As mentioned above, the majority of this breach compromised email addresses – a total of 1 million users. However, for just short of 10% of users (9,500), more personal details were accessed such as their full name, home address, phone number, as well as their order detail history on the platform.
Response from Ledger after the Email Breaches
In response to these recent user data breaches, Ledger has notified the relevant authority – the French Data Protection Authority – that specializes in personal data law and online privacy. In the coming months, it is likely that we will see Ledger file a full investigation with the authority to internally audit the situation and create new measures to prevent future issues of this nature.
As well as this, on the 21st July Ledger began a partnership with the mobile phone network Orange, specifically it’s Cyberdefense team. This resulted in the confirmation that it was the ‘e-commerce and marketing’ area of the system that was breached. This investigation remains ongoing.
In an open and transparent email sent out to all Ledger users, CEO of Ledger, Pascal Gauthier said on behalf of the entire team that they were “regretful” and that they “sincerely apologize for the inconvenience” that is has caused any of their customers.
They stressed to all users that “Ledger will never ask you for the 24 words of your recovery phrase.”
next