Ledger Nano series hardware wallets are among the most famous on the market. Unfortunately, their website and databases are not as infallible as expected. For this reason, one million ledger customer email addresses have been collected.
A breach detected by a “bounty hunter”…
On July 29th, Ledger published an alert on Twitter for its customers:
“A researcher participating in our bounty program made us aware of a potential data breach in our marketing database.We immediately investigated and fixed it. Your payment information and crypto funds are safe.”
In a more detailed explanation on their blog, Ledger’s teams explain that the flaw was discovered on July 14th by an external IT expert who was looking for security breaches. These researchers are rewarded with bonuses (bounty) when they discover such flaws.
Ledger says it “immediately corrected” the problem. Unfortunately, the breach seems to have already been exploited.
Leakage of a million or more e-mail addresses
Ledger’s team explains that the rift was exploited on June 25, 2020 by an unauthorized third party. The latter accessed their e-commerce and marketing databases. The individual used an API key that has since been deactivated.
Although these databases mainly contained e-mail addresses (1 million), they also contained more sensitive information (name, address, telephone number, etc.) for 9,500 customers.
The creators of the Nano insists on the fact that fortunately no payment information or passwords were compromised through this breach.
Ledger recommends that affected customers, who have received a warning via email, be wary of phishing attempts by criminals who would impersonate Ledger. The company reminds you that it will never ask you for the 24 words of your recovery phrase.
This month of July 2020 will not remain a good month in the memories of Ledger’s teams. Indeed, in addition to this breach in their databases, the experts at Kraken Labs had already revealed points of attack on the Ledger Nano X at the beginning of the month.