The hacker that violated the marketing database of hardware wallet provider Ledger. Earlier this year released personal data for thousands of users, prompting many to threaten the company with a class-action lawsuit.
A hacker allegedly behind the violation of personal data from hardware wallet Ledger in June made all the information they acquired available online. According to a tweet from network security firm Hudson Rock’s Alon Gal. This allegedly includes 1,075,382 email addresses from Ledger newsletter subscribers. And 272,853 hardware wallet orders with data including email addresses, physical addresses, and phone numbers.
ALERT: Threat actor just dumped @Ledger‘s database which have been circling around for the past few months.
The database contains information such as Emails, Physical Addresses, Phone numbers and more information on 272,000 Ledger buyers and Emails of 1,000,000 additional users. pic.twitter.com/Sv9cQwhuNy
— Alon Gal (Under the Breach) (@UnderTheBreach) December 20, 2020
“This leak holds major risk to the people affected by it,” said Gal. “Individuals who purchased a Ledger tend to have high net worth in cryptocurrencies and will now be subject to both cyber harassments as well as physical harassments in a larger scale than experienced before.”
Ledger said released information was from June data breach
Ledger said “early signs” in a response on Twitter seemed to confirm. That the information released was from the June data breach that compromised the personal data of many of its users. Many Ledger users reported being targeted through phishing attempts, following news of the hack. Some said they got persuasive-looking emails asking them to download a new version of the software from Ledger.
“We are continuously working with law enforcement to prosecute hackers and stop these scammers,” said Ledger. “We have taken down more than 170 phishing websites since the original breach.”
Many users were apparently unsatisfied with Ledger’s response after experiencing months of reports on phishing attacks.
“If any lawyers want to start a class action suit, I’m sure many of us will jump on board,” said Twitter user Ryan Olah. “This has just gotten 10,000x worse now.”
Today we were alerted to the dump of the contents of a Ledger customer database on Raidforum. We are still confirming, but early signs tell us. That this indeed could be the contents of our e-commerce database from June, 2020.
— Ledger (@Ledger) December 20, 2020
Tokens are likely not in danger of being syphoned out of Ledger wallets
Although someone’s tokens are most likely not in danger of being syphoned out of Ledger wallets. By falling into the affected emails or phone numbers for such phishing attempts. Users could potentially compromise their own funds. Many have reported that they have tried to trick such attacks into giving up their seed phrases, prompting Ledger to repeat:
“Never share the 24 words of your recovery phrase with anyone. Even if they are pretending to be a representative of Ledger. Ledger will never ask you for them. Ledger will never contact you via text messages or phone call.”
However, some Ledger users have pointed out that phishing assaults are just one possible threat. That they may face now that their physical addresses are public. As was the case with Singaporean businessman Mark Cheng in January. Individuals with a large number of crypto holdings run the risk of being kidnapped. And held until they give up their tokens.
“This is a serious breach and I am concerned that people now have our addresses,” said Twitter user Paul Smith. “What’s stopping them from knocking on our doors? Saying sorry, frankly, isn’t enough.”