On July 29, Bitcoin hardware wallet maker Ledger noted a breach that affected the emails and ecommerce documents of one million customers last month. Fortunately, according to the firm, the breach did not affect customers’ funds.
Hackers were able to access the firm’s e-commerce database, leaking one million emails and some personal documents.
The firm said the hackers focused on its marketing and e-commerce database, so they could not access the recovery phrases or private keys of customers. The hackers were only able to access contact and order details.
“Further to investigating the situation we have also been able to establish that, for a subset of 9500 customers were also exposed, such as first and last name, postal address, phone number or ordered products.”
The breach did not involve all financial information, including payment information, passwords, and funds. It had nothing to do with the firm’s hardware wallets or its Ledger Live security product.
The issue was first flagged on July 14 by a researcher who was involved in the firm’s bug bounty program. After they were able to patch the problem, they later realized that the breach had happened on June 25.
Ledger informed the French Data Protection Authority (CNIL) about the issue on July 17. CNIL enforces the application of data privacy law to the collection, storage, and usage of personal data.
The firm partnered with Orange Cyberdefense on July 21 towards an assessment of possible damage from the data breach and identification of possible data breaches. The hacker used an API key via a third-party tool to access the marketing and e-commerce database.
The firm’s CEO Pascal Gauthier cautioned customers regarding phishing attempts. They have informed affected customers regarding the breach and the investigation continues.
“We are actively monitoring for evidence of the database being sold on the internet, and have found none thus far. We also performed an internal penetration testing and we are pushing forward the external penetration testing that was originally planned for September.”