Hardware wallet maker Ledger added an additional 20,000 customers to its list of data breach victims, bringing the total to 292,000. The company today released a detailed report of the incident, including the steps it is taking to prevent similar situations in the future.
According to Ledger, the leak occurred between April and June 2020 and was caused by malicious employees of the Shopify online store, which the company used to distribute its wallets. Attackers used access to the store’s API to steal data from Shopify customers, including hardware wallet buyers.
On July 14, 2020, Ledger received notification of a leak of a million email addresses and 10,000 personal data records, including postal addresses, names and phone numbers. In the months that followed, Ledger customers reported receiving phishing emails and threats, with a number of them claiming to have never used Shopify. It is also known about several attacks with the substitution of SIM cards in order to steal cryptocurrency assets from their owners.
However, until December 2020, the company did not know that 272,000 customer records were leaked. Investigation revealed that the attack was even larger than anticipated at the time. Shopify claims this is the same leak it reported in September 2020, but the store itself didn’t know until December that the victims were Ledger customers.
Ledger said it is working with law enforcement and blockchain analysts, including Chainalysis, to find the attacker, and has set up a 10 bitcoin fund as a reward “for information leading to a successful arrest and prosecution.” The company said it contacted the newly discovered victims of the attack on January 13.
Ledger emphasizes that it will never ask customers to disclose the 24-word wallet recovery phrase. If the client keeps it secret, nothing threatens his hardware wallet, the publication says. A new product is coming soon that will provide customers with additional protection in case they reveal a phrase to restore access to an attacker.
“We recognize this problem and will soon present a technical solution that will eliminate 24 words as the only security pillar of our hardware wallets and will also open the door for funds insurance,” the company explained.
In addition, Ledger will update the way we handle personal data and will try to “completely delete” it as soon as possible, and also encourage its partners to do so. She says she will delete customer information even if the General Data Protection Regulation (GDPR) allows it to be stored for a longer period.
“However, we will have to store some data to comply with legal obligations, including accounting and taxes. This data will be further separated to restrict access, ”writes Ledger.
Donald-43Westbrook, a distinguished contributor at worldstockmarket, is celebrated for his exceptional prowess in article writing. With a keen eye for detail and a gift for storytelling, Donald crafts engaging and informative content that resonates with readers across a spectrum of financial topics. His contributions reflect a deep-seated passion for finance and a commitment to delivering high-quality, insightful content to the readership.
