Recent security setbacks not a reflection of Ledger’s wallet security assures Charles Guillemet
Ledger recently reported a breach in the company’s customer contact database and wallet vulnerability that put customers’ Bitcoin at risk. This incident is just one of the many highlights of Ledger’s apparent tough stint. Charles Guillemet, the Chief Technology Officer of Ledger, addressed users’ concerns in light of security in an interview with CoinTelegraph.
The breach, dating back to June and July 2020, was caused due to a third party’s API key that was misconfigured on Ledger’s website. One million email addresses were leaked, out of which 9,500 affected customers had other private data, such as their phone numbers and names also leaked. The vulnerability was discovered by Ledger based on a tip on July 14 and the issue was fixed on the same day.
The CTO explained that the database breach led an attacker to access a portion of Ledger’s e-commerce and marketing database which allowed unauthorised access to customers’ contact details and order data. However, sensitive financial information including payment information, credentials and crypto funds were not compromised, he said.
“This data breach has no link nor impact on our hardware wallets and the Ledger Live application,” Guillemet emphasised. Customer crypto assets have always been safe and are not in peril,” he explained, adding that Ledger’s device makeup enables users to have complete control over their funds.
Not even a month after the data breach, a software vulnerability in Ledger that provided a bridge between Bitcoin and its various forks, such as Litecoin surfaced. This flaw could allow attackers to make a transaction seem associated with one asset, while confirming the transaction on the device to approve a separate transaction for a different asset, without the wallet owner’s consent. Ledger issued a software update correcting the issue on the same day.
Ledger later clarified that a bounty hunter found the vulnerability and added “We’d like to assure you that this vulnerability cannot be used to obtain sensitive data like your private keys or recovery phrase”.
Guillemet explained that Ledger’s wallets provide parameters for enhanced security and that users must also follow best practices and undertake due caution to ensure complete protection. “We’re most worried about phishing attempts — emails from scammers pretending to be us,” stated Guillemet.
“We’ll never ask our clients for the 24 words of their recovery phrase,” Guillemet added. He further urged customers to harness two-factor authentication, while also pointing toward educational information on security found on Ledger’s website.