Bitcoin Wallet Firm Ledger Discovers Full Extent of Hack

Ledger plans to update its data privacy policies as a result of the massive data breach.

In brief

• Ledger has disclosed details of a huge data breach.
• The breach exposed 292,000 customers.
• Ledger is updating its privacy policy in response.

Parisian hardware wallet company Ledger has disclosed that personal details of a further 20,000 customers were exposed following a security breach of its databases, bringing the total affected to 292,000.

In a blog post today, Ledger also announced intentions to update its data privacy policies to minimize future harm and put out a bounty of 10 Bitcoin for anyone who can rumble the hacker. 

The post disclosed the full extent and timeline of the data breach, which started as early as April 2020 and affected approximately 292,000 customers. 

We’ve heard your requests regarding data: here are our updates.

Once your order is shipped, we aim to store e-commerce information needed for accounting and legal obligations (name, address, phone number) in a segregated environment for 3 months.

— Ledger (@Ledger) January 13, 2021

The breach, the company found out last month, was due to “rogue member(s)” of the support team of Shopify, the e-commerce company that handles Ledger’s sales. 

Between April and June, 2020, those rogue agents used their API access to obtain transactional records of customers, including Ledger’s.

Ledger got wise to the breach when a researcher emailed it on July 14, 2020. It found that about one million email addresses were stolen, as well as about 10,000 records of personal information, which includes postal addresses, names and phone numbers.

ases get leaked all the time, but particularly sensitive is the information about the addresses and contact details of people known to hold a lot of money. 

Curious about the whereabouts of an obnoxious venture capitalist who tweets about their Bitcoin fortunes? Check the data dump. 

Newly-minted decentralized finance projects that entrust just a few people to their funds in Ledger wallets? Yup, they’re in the dump. 

Customers receiving phishing emails were concerned that they would become targets for things like home invasions.

Ledger CEO Pascal Gauthier told Decrypt last month: “Even though it’s a possibility and we don’t deny it’s a possibility, it’s not the highest possibility that this will happen. The database has been out since June and no-one has [ever] reported any attack of this sort.”

Next Steps For Ledger

Ledger said today that it is “deeply sorry that these incidents occurred and for any pain or stress they’ve caused our customers.”

Ledger said it is working with law enforcement and blockchain forensics firms to trace the hacker, and has created a bounty fund of 10 Bitcoins (roughly $350,000) “for information leading to successful arrest and prosecution.”

The company will also update its privacy policies. It aims to “completely delete” the personal data of customers and urge third-party providers to “to keep this data for as short a period of time as necessary.” Additionally, it will silo data it requires to keep for a long time. 

“These attacks have only strengthened our resolve to build and release products that keep you and your crypto safe,” it said.