{"id":141078,"date":"2020-12-24T20:35:00","date_gmt":"2020-12-24T17:35:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/ledger-data-leak-a-simple-mistake-exposed-270k-crypto-wallet-buyers\/"},"modified":"2020-12-24T20:35:00","modified_gmt":"2020-12-24T17:35:00","slug":"ledger-data-leak-a-simple-mistake-exposed-270k-crypto-wallet-buyers","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/ledger-data-leak-a-simple-mistake-exposed-270k-crypto-wallet-buyers\/","title":{"rendered":"# Ledger data leak: A \u2018simple mistake\u2019 exposed 270K crypto wallet buyers"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a269019f26bf\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a269019f26bf\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/ledger-data-leak-a-simple-mistake-exposed-270k-crypto-wallet-buyers\/#Over_270000_personal_account_details_compromised\" >Over 270,000 personal account details compromised<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/ledger-data-leak-a-simple-mistake-exposed-270k-crypto-wallet-buyers\/#%E2%80%98Scareware_and_other_risk_factors\" >\u2018Scareware\u2019 and other risk factors<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/ledger-data-leak-a-simple-mistake-exposed-270k-crypto-wallet-buyers\/#Affected_users_threaten_legal_action\" >Affected users threaten legal action<\/a><\/li><\/ul><\/nav><\/div>\n<p>&#8220;<strong># Ledger data leak: A \u2018simple mistake\u2019 exposed 270K crypto wallet buyers <\/strong>&#8221;<br \/>\n<img decoding=\"async\" src=\"https:\/\/images.cointelegraph.com\/images\/840_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjAtMTIvYTRiYzE3ZWEtODE2ZC00ZDI2LThiMWItOTNiYzBhMjhmNDhmLmpwZw==.jpg\" \/><\/p>\n<div class=\"post-content\" data-v-5a136f3a>The hacker likely responsible for Ledger\u2019s security breach in July recently dumped a large amount of data exposing the personal information of over 270,000 customers, including phone numbers and physical addresses. The leak also included 1 million emails of Ledger wallet owners and customers that were signed up to the company\u2019s <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">news<\/a>letter service.<\/p>\n<p>Amid the furor caused by the incident, Ledger says its focus is on improving its security infrastructure rather than reimbursing users for any losses that may occur. Meanwhile, some affected customers are reportedly considering taking legal action against the company in the form of a class-action lawsuit.<\/p>\n<p>The Ledger customer data leak also offers fresh fodder for the debate against implementing more Know Your Customer compliance protocols, critics of which argue that such measures encourage targeted cyber attacks aimed at exposing critical personal data.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Over_270000_personal_account_details_compromised\"><\/span>Over 270,000 personal account details compromised<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>As mentioned, the hacker presumably responsible for breaching the Ledger e-commerce database back in July dumped the personal information of thousands of affected users online. The company was blamed on <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">social media<\/a> for not providing better protection of user data and downplaying the extent of the initial breach. At the time, the hardware wallet maker declared that only 9,500 customers were affected by the security breach.<\/p>\n<p>Addressing the disparity in the reported number of people affected, Ledger <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.ledger.com\/message-ledgers-ceo-data-leak\/\">issued<\/a> a statement on Dec. 21 declaring that the leak covered more material than it was able to analyze earlier in the year. However, the company affirmed that customer funds remained safe, adding: \u201cThis data breach has no link nor impact on our hardware wallets, the <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a> or your funds. Your crypto assets are safe. While very truly and sincerely regrettable, this breach concerns only e-commerce related information.\u201d<\/p>\n<p>Responding to the incident via Twitter, Ledger CEO Pascal Gauthier<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/_pgauthier\/status\/1341084662752489472\"> remarked<\/a> that the leak was indicative of the growing threat of cyberattacks. Appearing on the <em>What Bitcoin Did<\/em> podcast with Peter McCormack, Gauthier <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.youtube.com\/watch?v=pNK6UaZ6XjI\">commented<\/a> on the nature of the breach, stating that it was the result of a mistake in the company\u2019s e-commerce stack.<\/p>\n<p>\u201cIt\u2019s a wrong API key that got coded on the map client to import the database from the store that got coded in the wrong placements and so, therefore, was coded where it should not have been coded and exposed the database to a simple attack,\u201d explained Gauthier.<\/p>\n<p>Amid the reactions to the leak, some cybersecurity experts highlighted that the incident was another pointer to the lack of encryption deployment by database administrators in storing user data. The Ledger CEO addressed the lack of encryption on the API keys, adding that it was an honest mistake and not a deliberate attempt to jeopardize customer safety by failing to hash API keys.<\/p>\n<p>Commenting on the leak, Ruben Merre, CEO of hardware wallet maker NGRAVE, remarked that the incident was reflective of rapid growth among crypto firms coming at the expense of security considerations. He added: \u201cSo many online platforms get hacked, and not necessarily because of the hackers\u2019 skill. Often, platforms just have bad security governance, let alone implementation.\u201d<\/p>\n<h2><span class=\"ez-toc-section\" id=\"%E2%80%98Scareware_and_other_risk_factors\"><\/span>\u2018Scareware\u2019 and other risk factors<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The data leak has triggered another round of phishing attacks as rogue actors, now armed with the emails of Ledger users, attempt to trick the wallet\u2019s customers into revealing their 24-word seed phrase. Even before the data dump, such phony emails were a regular occurrence.<\/p>\n<p>However, the exposure of phone numbers and personal addresses potentially opens up Ledger users to more risk factors. Some users have reported attempted SIM swapping attacks on their numbers with the hacker presumably trying to compromise two-factor authorization protocols.<\/p>\n<p>Crypto investors have been targets of SIM swap attacks in the past. Back in June, Richard Yuan Li was charged with conspiracy to commit wire fraud in connection with a <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/watch-movies-tv-seriess\/\" data-internallinksmanager029f6b8e52c=\"8\" title=\"Watch Movies &amp; TV Series\" target=\"_blank\" rel=\"noopener\">series<\/a> of SIM swap attacks that targeted over 20 individuals.<\/p>\n<p>Apart from phishing and SIM swap exploits, the data leak also opens up the possibility of the risk factors moving beyond scareware into the realm of actual physical attacks. Indeed, some users affected by the incident claim to have received threatening messages asking for payments or risk possible home invasions.<\/p>\n<p>The Ledger CEO has acknowledged the possibility of physical attacks as a result of the company\u2019s oversight, and has also assured users that their hardware wallet devices contained several protective protocols to safeguard against the theft of funds. Among these security measures is the use of incorrect pincode entries to format devices or a second password that displays a dummy account, leaving the owner\u2019s actual funds safe from bad actors.<\/p>\n<p>Additionally, the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/notsofast\/status\/1340798771601563650\">consensus<\/a> among security experts on social media is that consumers should be using post office box addresses or other public pickup locations instead of their actual home addresses for sensitive items like a Ledger hard wallet. For those with compromised phone numbers, the best line of action appears to be getting a new number and using a new email address to communicate the change to important contacts.<\/p>\n<p>While affected customers continue to deal with the fallout of the leak, Ledger says it is working to prevent future occurrences. In a statement to Cointelegraph, the company stated:<\/p>\n<blockquote><p>\u201cWe are doing everything in our power to cease these attacks and avoid situations like this in the future. Ledger has a set of measures in place to protect our users from falling victims to phishing attacks. We have set up a webpage sharing the anatomy of phishing attacks so users can avoid falling for them and report any new attacks.\u201d<\/p><\/blockquote>\n<h2><span class=\"ez-toc-section\" id=\"Affected_users_threaten_legal_action\"><\/span>Affected users threaten legal action<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Some affected users began advocating for legal action against Ledger immediately following the reported leak. There is even a \u201cLedger wallet leak\u201d subreddit on the Reddit platform, where users are discussing possible modalities for a class-action lawsuit.<\/p>\n<p>With its headquarters in Paris, Ledger falls under the laws of the European Union. In November, the European Parliament <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.dw.com\/en\/class-action-lawsuits-to-become-eu-law\/a-55711222\">adopted<\/a> legislative amendments that will allow EU customers to institute class-action lawsuits against companies operating in the region within the next two years.<\/p>\n<p>According to the ruling at the time, once passed into law, class-action lawsuits can be filed against companies operating in the EU for cases involving financial services, tourism and data protection, among others.<\/p>\n<p>Ledger\u2019s EU customers will require a qualified consumer protection body or some other recognized entity to represent the complainants. However, unlike U.S. laws, punitive damages from EU class-action lawsuits are restricted to the actual losses incurred by the class of plaintiffs.<\/p>\n<p>Apart from customers filing a lawsuit against the company, the data leak might also constitute a breach of privacy in the eyes of European regulators, specifically under the EU <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">General<\/a> Data Protection Regulation. In such situations, the EU has the ability to fine Ledger up to 4% of its revenue.<\/p>\n<p>Indeed, with the Ledger CEO having admitted to the company anonymizing user data improperly, the company could come under scrutiny from EU officials. Recital 26 of the GDPR <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.privacy-regulation.eu\/en\/r26.htm\">mandates<\/a> all companies to ensure complete removal of all the information that can identify users from their cache of stored or processed data.<\/p>\n<p><template data-name=\"subscription_form\" data-type=\"law_decoded\"><\/template><\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more News articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/ledger-data-leak-a-simple-mistake-exposed-270k-crypto-wallet-buyers\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;# Ledger data leak: A \u2018simple mistake\u2019 exposed 270K crypto wallet buyers &#8221; The hacker likely responsible for Ledger\u2019s security breach in July recently dumped a large amount of data exposing the personal information of over 270,000 customers, including phone numbers and physical addresses. The leak also included 1 million emails of Ledger wallet owners&#8230;<\/p>\n","protected":false},"author":1,"featured_media":141079,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/s3.cointelegraph.com\/uploads\/2020-12\/a4bc17ea-816d-4d26-8b1b-93bc0a28f48f.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[74862,75819,75190,75189,74879,117],"class_list":["post-141078","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-bitcoin","tag-bitcoin-wallet","tag-hardware-wallet","tag-ledger","tag-wallet","tag-business"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/141078","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=141078"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/141078\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/141079"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=141078"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=141078"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=141078"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}