Hardware wallet maker Ledger added an additional 20,000 customers to its list of data breach victims, bringing the total to 292,000. The company today released a detailed report on the incident, including the steps it is taking to prevent similar situations from happening in the future.
According to Ledger, the leak occurred from April to June 2020 and was caused by malicious employees of the online store Shopify, which the company used to distribute its wallets. Attackers used access to the store’s API to steal data from Shopify customers, including hardware wallet buyers.
On July 14, 2020, Ledger received notification of a leak of a million email addresses and 10,000 personal data records, including postal addresses, names and phone numbers. In the months that followed, Ledger customers reported receiving phishing emails and threats, with a number of them claiming to have never used Shopify. It is also known about several attacks with the substitution of SIM cards in order to steal cryptocurrency assets from their owners.
However, until December 2020, the company did not know that 272,000 customer records were leaked. Investigations revealed that the attack was even larger than anticipated at the time. Shopify claims this is the same leak it reported in September 2020, but the store itself didn’t know until December that the victims were Ledger customers.
Ledger said it is working with law enforcement and blockchain analysts, including Chainalysis, to find the attacker, and has set up a 10 bitcoin fund as a reward “for information leading to a successful arrest and prosecution.” The company said it contacted newly discovered victims of the attack on January 13.
Ledger emphasizes that it will never ask customers to disclose the 24-word wallet recovery phrase. If the client keeps it secret, nothing threatens his hardware wallet, the publication says. A new product is coming soon that will provide customers with additional protection in case they reveal a phrase to restore access to an attacker.
“We recognize this problem and will soon present a technical solution that will eliminate 24 words as the only security pillar of our hardware wallets and will also open the door for funds insurance,” the company explained.
In addition, Ledger will update the way we handle personal data and will try to “completely delete” it as soon as possible, and also encourage its partners to do so. She says she will delete customer information even if the General Data Protection Regulation (GDPR) allows it to be stored for a longer period.
“However, we will have to store some data to fulfill legal obligations, including accounting and taxes. This data will be further separated to restrict access, ”writes Ledger.
Stay in touch! Subscribe to Cryptocurrency.Tech in Telegram.
Discuss current news and events at the Forum