The crypto industry is shaken by reports of yet another data breach incident, this time on crypto hardware wallet maker Ledger, the company behind the popular Ledger Nano S. The firm announced on Wednesday that it had suffered a data breach on June 25, 2020.
According to the announcement, the incident resulted in customer contacts and order information getting exposed, but crypto funds remain unaffected. The company has also notified all affected customers via email, which summarised the specifics of the attack.
Ledger was first notified about the attack on July 14, by a computer researcher who was participating in the company’s bug bounty program.
The company was swift enough to patch the vulnerability, while also opening an internal and external investigation of the situation.
During the investigation, the company discovered that the vulnerability was already exploited back on June 25, after an unauthorized third party had accessed the marketing and e-commerce database using an API key that was immediately deactivated.
Since the attack was focused on the marketing and e-commerce database, the attackers weren’t able to access sensitive information like the user recover phrases or private keys.
The company also added that the breach is unrelated to Ledger’s hardware wallets or Ledger Live security product. The hackers were able to access the emails of approximately one million customers and the order information for a few.
Benoît Pellevoizin, VP marketing at Ledger, told The Daily Chain that all financial information is safe. However, he urged users to be aware of potential scams and phishing attacks:
“No customer financial information or funds were affected. The most common attack a scammer can perform with access to email addresses are phishing attacks–we urge our users to exercise caution and to remember that Ledger will never ask for your 24-word recovery phrase. Treat anyone who asks for your financial information as a potential scammer. “
He further added that the order information of some of the clients were also breached, and the company has “specifically” notified those users.
“A much smaller subset, approximately 9500 clients had their order information breached–first and last names, email addresses and postal addresses. We are reaching out to that subset specifically with more detailed information.”
Two days following the breach, Ledger filed a report with France’s Data Protection Authority, the CNIL, and by July 21, it had partnered with Orange Cyberdefense (OCD) to assess the damages.
“We’ve performed an internal penetration test, and confirmed that so far none of the database has been sold or shared on the internet, which we will continue to monitor. We will also be performing an external penetration test in the coming weeks,” Benoît added.
In order to build and maintain trust among customers, Benoît notes that it is “Extremely important” for them to remain completely transparent with the customers.
“We hold our relationship with our customers in the highest regard, and we wanted to be sure that we were as transparent as possible with this regretful occurrence.”