- Crypto hardware wallet firm, Ledger, recently suffered a major security breach.
- The breach happened on June 25th, and hackers used the flaw that was only discovered on July 14th.
- Ledger patched the flaw, notified the authorities, and is now working on confirming whether the data was sold.
One of the best crypto hardware wallets, Ledger, recently suffered a security breach that resulted in a massive theft of sensitive data from its database. The theft actually took place last month, but the company only discovered it later on.
Ledger’s database hacked
As mentioned, the breach resulted in a leak of a million emails, but also some personal documents. Fortunately, however, hackers were unable to affect user funds, thanks to advanced security measures that protect users in such scenarios.
Attackers were unable to reach recovery phrases or private keys of Ledger wallet users, as they only targeted the company’s e-commerce and marketing database.
Meanwhile, financial data, such as passwords, payment info, and the funds themselves, were also not affected. In fact, the company claims that the breach was completely unrelated to Ledger hardware, or Ledger Live.
Only order and contact details were hit, but even so, around 1 million customers were affected. The stolen information includes emails, first and last names, product orders, as well as phone numbers, and postal addresses.
The flaw was discovered three weeks after the attack
The issue was originally found and reported by a researcher who participated in a bug bounty program. This took place on July 14th, and Ledger created a patch for it. However, in studying the issue, the company discovered a breach that used this exact flaw, but by the time the flaw was discovered, the breach had already happened.
In fact, the breach itself took place on June 25th — nearly three weeks before the discovery of the bug.
As soon as the discovery was made, Ledger fixed the flaw, and it notified France’s Data Protection Authority, the CNIL, on July 16th.
The company’s CEO, Pascal Gauthier, apologized to the clients about the incident. He also warned users that the hack may result in a wave of phishing attacks. For now, the company is trying to track down the data and confirm whether or not it was already sold online.