Monday 4 January 2021 4:43 pm

Ledger customers exposed as personal data is leaked

The names, email addresses, home addresses and telephone numbers of 272,000 Ledger customers have been released online by hackers. In July 2020, cyber attackers gained access to the France-based crypto wallet company’s e-commerce database. It has recently been revealed that customers’ details were then dumped on Raidforum, a website for sharing information from hacked databases. 

Ledger’s CEO, Pascal Gauthier, released a statement apologising to customers, while assuring them that their crypto assets were safe. “This data breach has no link nor impact on our hardware wallets, the app or your funds. While very truly and sincerely regrettable, this breach concerns only e-commerce related information,” the statement reads. 

The information obtained allows hackers to conduct phishing scams by sending fraudulent marketing emails – as well as physical threats – to the company’s customers, in order to access crypto funds. 

Physical threats

The leak links those who purchased a ledger – on which they may have substantial holdings – with their home address. This puts many of Ledger’s users at risk of physical attacks. Crypto asset holders are uniquely vulnerable to physical threats because transactions are untraceable. The nature of this risk to Ledger’s customers is not only imminent, but long-lasting and potentially increasing. 

One bitcoin was valued at $10,400 in late 2017, when an armed robbery led to the death of a Bitcoin billionaire in Norway. “What if Bitcoin goes to $100,000 or $1m? Who may come knocking then?” said one Ledger user who wishes to remain anonymous. The customer also has concerns over the perpetuity of having his home address revealed. “It’s easy enough to abandon an email address or change a phone number, but a home address exists in the government paper trail, in a way that makes it next to impossible to hide. Anyone on that list can be found easily, not only today, but at any point in the future,” the source told Crypto AM. 

Another Ledger customer and founder of a DeFi company in London, who moved house due to physical threats received over his crypto holdings in 2019, expressed further safety concerns caused by the leak. “Ledger’s customer base is all over the world. In certain countries the likelihood of an armed robbery could be higher. Ledger does not have the expertise to tell people they are safe.”

Gauthier has downplayed the risk of physical attacks, suggesting that there is no way hackers can know both “how much crypto you own and where you live”. He also opined that breaking into someone’s house is a “very costly event” which would put hackers off. The leak, as well as Gauthier’s response, has left a sour taste for Ledger’s customers, who not only fear for their crypto holdings, but for the safety of their families. 

Cyber attacks

Cyber attacks on Ledger customers following the leak have ranged from phishing emails and texts requesting users to download malicious links, to threats of hackers coming to peoples’ homes unless they pay a ransom. Crypto AM spoke to a Ledger customer whose details were leaked and subsequently £60,000 worth of Bitcoin was stolen from his wallet. “My Ledger wallet was compromised in July and all funds were stolen. The hackers gained my contact information, including my email address, from the leak. They then accessed my Google Drive where I had screenshots of my 24 seeds (recovery phrase).” The value of the stolen crypto now stands at £160,000. While the Ledger user did store screenshots of his seeds on his Google Drive, the theft would not have been possible had his personal information not been leaked. 

Gauthier has dismissed the idea of reimbursing customers who had their personal data leaked online – including those who had their home addresses revealed. “When you have a data breach of this magnitude for such a small company, we won’t reimburse for a million users, all the devices, that’s just not possible.” The firm has reiterated that customers must not share their 24-word recovery phrase under any circumstances as it provides access to their crypto assets.

An issue for the crypto industry

Data leaks and scams are not unique to Ledger. With the crypto industry in an embryonic stage, many customers faced similar issues last year. A report published in November by CipherTrace, a blockchain forensics company, estimated that losses from thefts, hacks and frauds in 2020 were in excess of $1.8bn. 

One Ledger customer, whose personal details were leaked, has been the victim of hacks on multiple crypto platforms. “I had some tokens on KuCoin – they were stolen and then replaced. I also had coins taken from my MetaMask account. I went to Ledger because it was supposed to be safe, and then my personal details were all over the internet. I’m fairly tired of the whole thing. I’m thinking of leaving the industry because it’s all so stressful. This space is not ready for the average member of the public,” he told Crypto AM.

Influencers have long called for the mass adoption of cryptocurrencies by wider society. However, this Ledger hack is one of many case studies of consumers suffering the consequences of the industry’s inadequacies. While much of the damage of the leak cannot be undone, it must serve as a wake-up call to Pascal Gauthier and his fellow CEOs.

Liam Roche, journalist at Crypto AM covering new technologies and taking a deeper dive into the topics of the day.

The Getty Image will be here