Ledger - REKT

Ledger has lost the trust of their users.

The customer information that was taken in July has long been available to those who were willing to pay the price, but now it’s free of charge.

The list of 272,853 customers and 1,075,382 email subscribers was posted last night on raidforums to the dismay of some forum users, who complained that the OP had ruined its financial value.

In July 2020 a researcher had been taking part in the Ledger Bug Bounty program when they found a potential attack vector. It later emerged that this vector had already been exploited.

Ledger then announced that their website had been exploited, and that an “unauthorized third party had gained access to a portion of our e-commerce and marketing database through an API Key”.

The information contained in this data leak was reportedly being sold for nearly six figures. This proves the value of this personal information; whoever was paying those prices will have expected to profit from their purchase.

Since the information has become free to access, users have been reporting an increase in phishing attempts. This behaviour will continue to grow over the coming months, and it would not be surprising to hear of a physical attack due to this data breach.

The best case scenario is that Ledger has provided a target list for SIM swappers and phishing campaigns. The worst case scenario could be physical attacks or burglary due to the personal information that has been leaked.

At first we were told by Ledger that a group of 9500 customers had their data exposed, including first and last name, postal address, and phone number. Now we find out that this number was closer to 227,000.

Were Ledger deliberately obscuring the severity of the incident?

We spoke to a representative from Ledger, who provided the following statement;

We’re still investigating this ongoing issue, but the dumped content may be Ledger’s e-commerce database that was exposed during the data breach in June 2020. This database may be used by scammers for phishing attacks through emailing and text message campaigns.

Our Customer Support team has been working to notify our users via Twitter and responding to questions while also reporting all tweets and Reddit posts that contain a link to the database. We urge all of our users to never share their 24-word phrase, and remember that no one from our team will ever request that private information.

Since we discovered the data breach in June 2020, we worked with an external security organization to conduct a forensic review. The review confirmed that only 9,500 individuals were impacted, all of whom were personally contacted by Ledger Support. Since the phishing attacks started to occur, we anticipated more information could have leaked and continued to notify all users via Twitter and email.

We are doing everything in our power to cease these attacks and avoid situations like this in the future. Ledger has a set of measures in place to protect our users from falling victims to phishing attacks. We have set up a webpage sharing the anatomy of phishing attacks so users can avoid falling for them and report any new attacks: https://www.ledger.com/phishing-campaigns-status

We sincerely regret this situation, and our team is working diligently to stop the scammers and restore faith within the community. We have been open and transparent about this issue from the onset and will continue to respond to any new developments as the information becomes available. We are continuing analysis of this data and will continue to provide updates.

This situation shows the problem of dependence on third parties to store our information safely.

As Web 3.0 grows, the problems with Web 2.0 become ever more apparent. The forced compliance of offline companies slows our progress and puts our information at risk.

We are forced to entrust these companies with our data, despite the known risks of centralised storage. Companies such as Ledger are torn between the old world and the new, unable or unwilling to implement technology such as zk-proofs which would secure their database.

It won’t just be the criminal world who are keen to view this information. In Europe there have already been cases where the data of Swiss bank customers has been bought by officials to help their investigations into tax fraud.

The strict framework of GDPR has been obliterated by this data breach. Customers who requested that their data be deleted were seemingly ignored or even lied to.

One such customer told us;

I sent them an email in May 2020 and asked them to delete any data they have about me from multiple orders. I referenced GDPR in the message. They replied :" Thank you for contacting us. It will be done as soon as possible. "

With the leaks I cross checked and realized that I am in the big data dump (email, address, phone...)

Ledger should have made sure that this personal data was deleted automatically after a set period of time.

Was it incompetency or dishonesty that made Ledger ignore these requests?

It doesn’t matter now - there’s no changing what happened.

There is no cure for a data breach, the only solution is prevention.

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.