Sensitive Financial information and crypto assets are safe, assures Ledger
Popular hardware wallet firm, Ledger has admitted to a data breach of its marketing and e-commerce databases in June and July this year.
In a blog post titled “Addressing the July 2020 e-commerce and marketing data breach — A Message From Ledger’s Leadership,” the crypto wallet firm stated that the company had recently discovered that an unauthorized third party had gained access to specific databases in late June due to a breach.
Ledger reassured that users’ payment information, crypto funds, and other financial details were safe and only contact details used to send promotional emails had been compromised.
The blog post, released on Ledger’s official page today, explained that the data breach was identified by a researcher working on the company’s bounty program in the second week of July. An internal investigation into the breach revealed unauthorised third-party access into specific sections of Ledger’s e-commerce and marketing databases on June 25, 2020.
The accessed sections contained mostly email addresses, but with a subset including contact and order details such as first and last name, postal address, email address and phone numbers, the blog said. The unauthorised access was achieved through an API key that has since then been deactivated, Ledger confirmed.
Ledger estimates that approximately one million email addresses of the crypto wallet users and additional information of a subset of 9,500 customers were exposed due to the data breach. The hardware wallet firm reassured users that no payment information and credentials were accessed by the unauthorised party. It further stated that the breach had no impact whatsoever on Ledger’s hardware wallets, Ledger Live security and users’ crypto assets, all of which are safe and have never been compromised.
CNIL, the French Data Protection Authority, that ensures data privacy law is applied to the collection, storage and use of personal data has been alerted regarding the data breach in Ledger.
Last week, Ledger partnered with Orange Cyberdefense to assess damages caused by the data breach and actively attempt to identify any other weak links that may lead to data breaches in the future.
“We are extremely regretful for this incident. We take privacy very seriously, we discovered this issue thanks to our own bug bounty program, we fixed it immediately. But regardless of all that we did to avoid and fix this situation, we sincerely apologise for the inconvenience that this matter may cause you,” the company has said.
Ledger is also searching for evidence of the database being sold on the internet, and have found none thus far.