Blockchain is often touted as the future of finance, multi-layer security, swift payments, and virtually unhackable. However, a hacked database of over a million customers emails was taken from the digital asset security firm Ledger. The data was placed into two text files and released to the public through hacker site Raidforums.
The hack, which took place back in June 2020, was carried out against the Ledger e-commerce database. The scale of the damage is yet to be fully understood, but luckily there was no financial information, crypto keys, or recovery phrases exposed during the attack, which will provide some relief for Ledger users.
Going forward, there are certainly concerns regarding the insecurities brought to light as a result of the attack. But, what else can users do to safeguard their cryptodata? One alternative would be to use a different secure cryptocurrency wallet, which is usually a USB Stick, or to print the crypto keys onto paper and the document somewhere secure. While this may seem extreme, this method is frequently used within the cryptocurrency community and is regarded as one of the most secure ways of storing keys.
What happened in the attack?
A recent statement released by Ledger confirmed they were still checking the details of the incident, but confessed that the data “could be the contents of our e-commerce database from June, 2020.” The leaked data was published on Raidforums and includes the names, physical addresses, phone numbers, and email addresses of a million different Ledger customers. The amount of data is quite staggering and something which many feel Ledger should have addressed more publicly, notably a clear apology and some kind of plan to make reparations in some form to its customer base.
The attack hasn’t gone unnoticed by the cryptocurrency community, with many citing a statement made by cybersecurity site haveibeenpwned.com claiming that many of the addresses have already been compromised. It is understood that 69% of addresses listed on Raidforums, which were exposed to vulnerabilities back in June have since been breached.
Aside from a string of tweets acknowledging the breach, Ledger also commented that they feel it would be “a massive understatement to say we sincerely regret this situation.” Ledger is a company that sells a unique security package to cryptocurrency users. The fact this data was hacked is shocking and something that must be addressed immediately.
What was leaked?
Ledger is a company that prides itself on not simply trusting things, but spending a notable amount of effort improving its security assets and improving every aspect of Ledger technology to ensure customers get the best service around. As with any blockchain-based business, Ledger invests a lot of time and money in trying to uncover any potential vulnerabilities in their system.
Fortunately, the attack targeted the marketing and e-commerce database, which resulted in the vulnerabilities only affecting personal information of clients rather than direct financial data. Nonetheless, the exposure is a poor reflection on a company that promises a first-rate security service.
Although no financial information was exposed, there were some 9,500 cases in which phone numbers, postal addresses and details of product purchases were made public. Ledger’s investigations have found that the attackers were able to access the database using an API key, which has since been disabled.
What’s next for Ledger customers?
Now that the dust has settled, Ledger customers will be wondering if their information was exposed and what it would mean if it has been. In a recent interview, Ledger VP or Marketing Benoit Pellevoizin warned Ledger customers about the possibility of phishing attacks, which are carried out all the time.
The fact certain customers’ information is now available online, means that those unfortunate enough to have been included in the leak will be exceptionally vulnerable to phishing attacks, as hackers only need a few more pieces of information to be able to carry out fraudulent practices.
As such, any customers who are being asked to provide personal details via email or on the phone, should act with great caution. Specifically, the 24-word recovery phrase Ledger customers hold. This should never be shared with anyone, including Ledger employees. Moreover, Ledger has set up a dedicated page for users to report the details of any phishing attacks to help combat any mendacious activity.