A data breach that occurred on June 25th on the Ledger Wallet’s e-commerce system got one million of its customer’s personal emails stolen.
It was on July 14th that a researcher informed Ledger of an exploit found online, exposing customer purchasing data. The company began an investigation into the hack but wasn’t initially able to locate any of the whereabouts of the data.
Today, it seems this information has been dumped for free on the Raidforums marketplace. In addition to leaked email address, the dump also includes roughly 9,500 other customers’ addresses, phone numbers, and names.
Data Leak Leads to Phishing Scams
The consequences of this hack were detrimental as people reported getting phishing emails and a few even claimed to have money stolen from their crypto wallets.
Podcaster and bitcoin enthusiast, Brad Mills tweeted that someone he knows lost $50k to a phishing scheme—a result of the leaked Ledger data. Mills tagged Ledger telling them to warn customers of scam emails asking for customers’ recovery phrase.
Hey @Ledger you need to keep sending phishing warnings to all of your customers!
People are losing their savings because of the hack!
Get in front of it, continually send out purposeful emails to your customers *just* about the hack!
Be a good steward! You need to do better. pic.twitter.com/AlNCMbIBST
— Brad Mills ✍️🔑 (@bradmillscan) December 9, 2020
Ledger’s Response to the Dump
Ledger handled the situation as best they could, responding to the phishing attempts in a public statement. The statement included in bold that “Ledger will never ask you for the 24 words of your recovery phrase.”
An official apology was also tweeted after the dump was discovered. They also ensured their customers that they are working to make Ledger more secure for the future.
It is a massive understatement to say we sincerely regret this situation. We take privacy extremely seriously. Avoiding situations like this are a top priority for our entire company, and we have learned valuable lessons from this situation which will make Ledger even more secure
— Ledger (@Ledger) December 20, 2020