The company behind Ledger crypto hardware wallet reported its client database suffered several breaches this month.
The company’s leadership announced a blog post revealing the e-commerce and marketing data breach on the Ledger website, which was found out on July 14. The security incident repeated once again on June 25.
The breaches were made by the unauthorized third party, who gained access to the company’s client email list and other marketing information, used for sending promotional emails.
Approximately 1 million client addresses were compromised. The company however highlighted that any information regarding Ledger’s clients’ cryptocurrency funds and payment data is safe. Ledger also stated that it immediately fixed the breach after being informed and is currently carrying out an internal investigation.
According to the blog post, the breach was detected by the independent researcher, participating in a Ledger’s bounty program.
Personal information revealed
Ledger is one of the leading hardware crypto wallet producers with over 1 million units sold in dozens of countries worldwide. The company now stated that almost all of its 1 million client contact database was attacked.
However, despite the breach of 1 million email addresses, the more sensitive data of nearly 9500 customers were also exposed, including first and last names, postal addresses, phone numbers, or ordered products. According to the announcement, the breach affected the contact data only:
Regarding your e-commerce data, no payment information, no credentials (passwords), were concerned by this data breach. It solely affected our customers’ contact details.
The company further stated that the security incident has no links nor impact to the Ledger’s hardware wallets and clients’ digital assets, which are safe were never in danger.
Additionally, the Ledger leadership declared that the breach was implemented through an API key. The compromised key has been deactivated and no longer accessible since the incident was exposed.
The company claims to be actively monitoring the internet for evidence of the compromised database being sold. It also performs an internal penetration testing and is pushing forward the external one, which was initially planned for September.
Ledger as well remembered its clients to be aware of possible scams and phishing emails that might come pretending to be from Ledger and asking for the personal 24 words recovery phrase. The company warned to consider it as a phishing attempt and do not reveal sensitive information, as the company itself will never ask for such kind of data.