Hardware wallet manufacturer Ledger was found to have its data breached in July last year, where hackers stole the personal data of over 272,000 users, including some high net worth individuals and whales. Recent reports show that an additional 20,000 users’ data were also compromised in the same hack, bringing the total number of affected individuals to 292,000, adding on to a pool of dissatisfied customers.
Unfortunately, while Ledger’s unique selling point centers around its supposed unparalleled security, several vulnerable touch points are still available to malicious actors such as ecommerce gateways connected to Ledger. In this case, Ledger found that members of major ecommerce platform Shopify’s support team, who handled a majority of Ledger purchases, were the source of the data breach. Their API access allowed them to obtain transaction details, which included customer addresses, names and more.
In response, Ledger has announced further measures to strengthen security. This includes eliminating long term storage of personal data on its platform and third-party services, such as Shopify, and to manage only necessary data in a “segregated environment”. The company will also be adjusting its communication channels with users and customers, such as minimizing contact by email and social media lest hackers or scammers attempt to contact users via these methods.
It has also included a 10 BTC bounty to users and the crypto community who can offer them useful information to identify the hackers and contributors of this attack. At current Bitcoin prices, this bounty is worth approximately $350,000 USD in total.
As previously reported, Ledger customers implicated in this unfortunate event began receiving phishing scam emails after their details were exposed. Some customers also voiced their concerns that they could be potentially robbed in their own homes for their hardware wallets, considering that their transactions and physical addresses were now open for many to see.