Reimbursing data leak victims will “kill Ledger” and for this reason, none of the over one million newsletter subscribers or the 272,853 victims whose physical addresses, names, and phone numbers were leaked to a hacker forum, will be compensated, the CEO of Ledger, Pascal Gauthier, told Decrypt on Dec 21.
The July 2020 Ledger Hack
Ledger is a hardware wallet manufacturer supplying most cold wallets that crypto holders use to secure the private keys (a 24-word seed phrase) of their coins and tokens. Private keys are used for confirming transactions, forfeiting or losing control means losing coins.
In July 2020, a bounty hunter notified the Ledger leadership of a data breach on its website. However, despite their internal investigation and bug fix, an authorized third-party accessed and made away with content from their e-commerce and marketing database through an API key.
They contained personal details, physical addresses, and email addresses. These are used by the hardware manufacturer to confirm orders and send out promotional emails.
Ledger confirmed that no payment information or passwords were lost.
The hacker—or the group responsible, has since shared this information, for free, at a hacker forum. The archive contains two files: “All Emails (Subscription).txt” and “Ledger Orders (Buyers) only.txt.”
Both contained data stolen during the July 2020 hack.
Specifically, the “All Emails (Subscription).txt” contains the email addresses of 1,075,382 subscribers of the Ledger newsletter.
“Ledger Orders (Buyers) only.txt”, on the other hand, is more sensitive and contains the physical address, names, and phone numbers of the 272,853 people who purchased Ledger devices.
Details have since been confirmed to be accurate.
We Build, Not Compensate Says CEO
Pascal now says, even with this, they can’t compensate their clients despite them being bombarded with sophisticated phishing emails.
Talking to Decrypt, he said:
“When you have a data breach of this magnitude for such a small company, we won’t reimburse for a million users, all the devices, that’s just not possible. It would just kill the company.”
Instead of offering compensation, Ledger will invest time and money to improve their defenses.
2020 has seen several firms and protocols hacked. BTCManager reported of Twitter hackers using Wasabi wallets to cover their trails.