Ledger user data leaked again

Hardware wallet manufacturer Ledger has suffered another massive data breach for the second time this year. The exposure of thousands of clients’ personal information has increased the threat of SIM swapping as an attack vector.

For the second time this year, personal data from Ledger wallet buyers has been dumped online. The leak was posted by several members of the crypto community who found files allegedly containing the ‘full database’ of Ledger customers containing emails, phone numbers, and even physical addresses.

Major data leak

Ledger published a statement on Twitter, claiming it was old data from the June 2020 server breach.

A wave of phishing attacks followed the breach from June. Ledger originally claimed that only around 9’500 users were affected, but it now turns out to be as many as 270’000. Industry researchers called it “unforgivable”. Hasu, Writer for Deribit Insights, said that “you simply can’t sell hardware wallets and store the personal information of your customers on an online server.” In order to make Ledger take physical security more seriously, he recommended cutting off business with them completely.

Analyst Larry Cermak, Director of Research for The Block, said this latest leak was “much much worse” than the last;

There is also now an inherent danger that SIM swapping attacks will be used to target Ledger customers now that their phone numbers and addresses have been leaked.

What is SIM swapping and how to avoid it?

SIM swapping occurs when an attacker contacts the victim’s wireless/mobile carrier and is able to convince the call center employee that they are the victim using stolen personal data. With an arsenal of new data including email addresses, the phone number itself, and even physical addresses for Ledger users, this would be relatively easy to pull off for cybercriminals.

The attacker then asks the provider to activate a new SIM card connected to the victim’s phone number on a new phone in their possession. With this, they can access the 2FA security measures used by Ledger devices and crypto exchanges. What happens next is inevitable — an emptied hardware wallet.

Industry analyst Alex Krüger has warned of an impending wave of SIM swapping attacks following the Ledger leak. Since phone numbers were leaked and smartphones are normally used to authenticate transactions, the fallout could be devastating;

The U.S. Federal Trade Commission issued a warning and prevention guide which includes suggestions on limiting the sharing of personal information. However, when companies that are trusted with security cannot secure data themselves, what hope has the consumer got? As a number of Ledger users have painfully found out, crypto-assets can be easily stolen from hardware wallets. The victims are left to suffer alone when it happens as there is usually little-to-no recourse whatsoever from the manufacturers.


About the author

CVJ.CH Content Partner BeInCrypto

BeInCrypto is a news website founded in August 2018 that specializes in cryptographic technology, privacy, fintech, and the Internet — among other related topics. The primary goal is to inject transparency into an industry rife with disingenuous reporting, unlabeled sponsored articles, and paid news masquerading as honest journalism.