Top hardware wallet Ledger revealed that a breach occurred in its customer information database, and email IDs for close to a million customers have been stolen. User funds are safe, but the risk of an extensive phishing attack is very high.
Vulnerability in Ledger’s Database
A bug bounty program helped Ledger discover that it’s marketing database had a vulnerability that put the personal information and purchases details of customers at risk. Ledger immediately patched the issue, but it was already too late.
The company noticed that somebody used an API to access this information on Jun. 24. The company has since sent a notice to customers whose information is at risk.
Email IDs for over a million customers were leaked. Sensitive information such as full names, phone numbers, and addresses were taken for a subset of 9,500 customers, according to Ledger.
In response to the situation, the company promises to tighten its internal security and is pushing for data security measures on e-commerce data on par with product data (wallet-related information).
Ledger notified the French Data Protection Authority and is actively monitoring evidence that helps them figure out whether the data is being sold on the internet.
Hardware wallets are the gold standard of cryptocurrency security for retail investors. The wallet provider noted that funds are not at risk as the hacker targeted customer information. However, this could result in a large scale phishing attack to coerce Ledger users into revealing their wallet recovery phrase and keys.
The company emphasizes that it will never ask users for recovery phrase and private key-related information.