Ledger Breach Vastly Underestimated, 270,000 Clients Data Leaked

Key Takeaways

  • Earlier this summer, Ledger revealed a data breach that exposed over a million customers’ emails.
  • At that time, the company reported minimal damage and quickly patched its system.
  • New reports now reveal that the breach was much larger in breadth and depth.

Based in France, Ledger is the largest cryptocurrency hardware wallet company. Despite the firm’s reputation, it failed to secure its database containing the personal data of those customers, according to reports.

Ledger Leak Vastly Underestimated

The company revealed a security error that gave hackers unauthorized access to a database containing the personal contact details of Ledger’s e-commerce clients. The details included email addresses, first and last names, home addresses, and phone numbers.

While Ledger first reported the breach in July 2020, the event’s actual details were only understood yesterday when hackers published the hacked data belonging to hundreds of thousands of people.

Overall, Ledger accidentally exposed phone numbers and home addresses belonging to more than 270,0000 customers.  More than a million customers’ email addresses were also leaked from the marketing database.

Ledger had earlier reported that hackers had stolen the personal data of only 9,500 customers. The data was initially published on Raidforums and then spread to other websites like Intelx and many others.

Third-Party API Malfunctions

Ledger found out about the data breach on Jul. 14 during a bug bounty program. Even though the company fixed the issue immediately, it was too late. 

Before the data breach, Ledger had allowed a marketing company (an unknown partner) access to its e-commerce and marketing database through an API. 

But the API was misconfigured on Ledger’s website. 

“The API key misconfiguration at issue has been running since Aug 9, 2018. Based on the information we have, we believe it was discovered and exploited from April 2020 to June 28, 2020,” Ledger reported.

The API key has now been deactivated and is no longer accessible.

Phishing Attacks, Personal Threats

Ledger said the data breach did not cause any direct threat to funds security of users. But experts worry that many customers’ safety is at risk forever.

Alon Gal, Co-Founder & CTO at security firm Hudson Rock said, “This leak holds major risk to the people affected by it. Individuals who purchased a Ledger tend to have high net worth in cryptocurrencies and will now be subject to both cyber harassments as well as physical harassments on a larger scale than experienced before.”

Since July, the breach caused a wave of phishing attempts from hackers. Ledger has also warned customers of many more phishing attempts to come.

As the leak’s breadth is becoming better known, affected clients are now reporting ransom threats via email. As Decrypt reported, an attacker has identified one client by their crypto holdings and home address.

The threat demands the victim pay them $500 or face physical violence.

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.

Source: Read Full Article