A user on crypto twitter going by the handle ‘Jimmy McShill’ [@JimmyMcShill] posted screenshots of files that have been uploaded to forums purportedly contacting the ‘full database’ of Ledger customer’s emails, phone numbers, and addresses;
⚠️⚠️ Uhh shiit! A hacker is dumping the full @Ledger database dump for free on raidforums! Emails, phone numbers and addresses!
Get ready for a huge spam and phishing wave!#bitcoin #cryptcurrencies #phishing #security pic.twitter.com/XAQQHZ2wkW
— Jimmy McShill (@JimmyMcShill) December 20, 2020
Ledger responded stating that they believe the data is from a previous breach and not a new attack;
“Today we were alerted to the dump of the contents of a Ledger customer database on Raidforum. We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020.”
Is Ledger Safe?
If Ledger fails to keep personal information safe, can they really be trusted with digital assets? It is still unclear whether this is a new attack or the dumping of contents from the first attack which occurred in June 2020. At the time, it resulted in the exposure of as many as a million customer email addresses.
Following the breach, Ledger users were targeted by scammers and phishing attacks, some of which attempted to lure users into downloading fake Ledger software or revealing their key phrases. This indicates that the data had already been leaked and this could be a new set of customer information.
The Block’s director of research, Larry Cermak, is of the opinion that this is much worse than the previous data breach as it contains physical addresses;
This Ledger leak is much much worse than I thought. Did some cross checks with people that have purchased Ledgers and the hit rate (anecdotally) is like 50%. The info includes home addresses as well as phone numbers.
— Larry Cermak (@lawmaster) December 20, 2020
CryptoPotato spoke to one Ledger victim, an industry researcher, and journalist who requested to remain anonymous. According to the source, the device was accessed remotely and cleared out with several unauthorized transactions resulting in the loss of around $16,000 at the time in late 2019.
“The wallet was secured in a safe with the key phrase in another safe. Neither were broken into or accessed so I was dumbfounded to discover that the thing had been drained of all funds by three transactions I did not make.”
Realizing that there was little chance of recovering the losses, the victim contacted Ledger to try and find out how this could possibly have happened in order to warn others. The firm was unaccommodating, simply sending an apology and not even willing to investigate the fraudulent transactions.
With the leaking of more personal information, Ledger users should start to brace for an incoming maelstrom of attacks that could now start to target them personally.