Hardware wallet firm Ledger suffered data breach in June, says customer contact and order information compromised

Quick Take

  • On Wednesday, crypto hardware wallet firm Ledger detailed a data breach that occurred in late June.
  • The breach centered on its marketing and e-commerce database, resulting in the exposure of customer information including approximately 1 million email addresses.
  • Ledger said it patched the vulnerability, which was discovered by a researcher who participated in its bug bounty program.The vulnerability was reported on July 14.

Hardware wallet company Ledger said Wednesday that it suffered a data breach of its marketing and e-commerce database in late June.

Contact and order information for customers was exposed, but the firm said payment information and crypto funds were unaffected. Affected customers have now been notified via email, according to Ledger, which detailed the specifics behind the breach in a blog post published early Wednesday.

Ledger first realized the vulnerability when a researcher participating in the firm's bounty program got in touch about a potential breach on the Ledger website on July 14. Though Ledger said it immediately patched the breach and opened an internal investigation, it realized the vulnerability had already been exploited weeks earlier, on June 25, when a third party accessed the marketing and e-commerce database using an API key that has since been deactivated.

Because the attack targeted the marketing and e-commerce database, the party or parties behind it could not access users' recovery phrases or private keys. Payment information, passwords and funds were not affected, and the breach is unrelated to Ledger's hardware wallets or Ledger Live security product, the company said.

However, the emails of approximately one million customers were compromised, as the firm post noted:

"Solely contact and order details were involved. This is mostly the email address of approximately 1mln of our customers. Further to investigation, we have also been able to establish that a subset of them were also exposed: first and last name, postal address phone number and product(s) ordered."

"Your crypto assets are safe and are not in peril," Ledger said in its email to customers.

For this reason, Ledger recommended that customers be mindful of phishing attempts and reiterated that it would never ask for users' recovery phrases.

In the blog post, Ledger said it is "extremely regretful" for the incident.

"We take privacy very seriously, we discovered this vulnerability thanks to our own bug bounty program, we fixed it immediately. But regardless of all what we did to avoid and fix this situation, we sincerely apologize for the inconvenience that this matter may cause you."

Two days after the researcher exposed the vulnerability, Ledger filed a report with France's Data Protection Authority, the CNIL, and by July 21, it had partnered with Orange Cyberdefense (OCD) to assess the potential damages and further identify breaches.

The firm is still keeping an eye out for evidence of the stolen data being sold on the internet, but said it has not found any reason to believe that's the case thus far. The OCD filed an initial report on July 24, but the investigation by CNIL is still ongoing. 

 Editor's Note: The headline of this report has been updated for clarity.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.