A hacker, who breached hardware wallet provider Ledger’s marketing database earlier this year, has released personal data for thousands of users by prompting many to threaten the firm with a class-action lawsuit.
It has been reported that the hacker has made all the information they obtained available online. This reportedly includes 1,075,382 e-mail addresses from users subscribed to the Ledger newsletter, and 272,853 hardware wallet orders with information including e-mail addresses, physical addresses, and phone numbers.
ALERT: Threat actor just dumped @Ledger's database which have been circling around for the past few months. The database contains information such as Emails, Physical Addresses, Phone numbers and more information on 272,000 Ledger buyers and Emails of 1,000,000 additional users. pic.twitter.com/Sv9cQwhuNy — Alon Gal (Under the Breach) (@UnderTheBreach) December 20, 2020
“This leak holds major risk to the people affected by it. Individuals who purchased a Ledger tend to have high net worth in cryptocurrencies and will now be subject to both cyber harassments as well as physical harassments in a larger scale than experienced before.”
However, Ledger said that “early signs” seemed to confirm that the released information was from the June data breach that compromised the personal data of many of its users.
After news of the hack, many Ledger users reported being targeted through phishing attempts. Some said they received convincing-looking e-mails asking them to download a new version of the Ledger software.
“We are continuously working with law enforcement to prosecute hackers and stop these scammers. We have taken down more than 170 phishing websites since the original breach.”
It has been analyzed that after experiencing months of reports on phishing attacks, many users were seemingly unsatisfied with Ledger’s response.
Twitter user Ryan Olah said:
“If any lawyers want to start a class action suit, I’m sure many of us will jump on board. This has just gotten 10,000x worse now.”
Users could potentially compromise their own funds by falling for such phishing attempts sent to the affected emails or phone numbers, though someone’s tokens are most likely not in danger of being siphoned out of Ledger wallets.
Many have reported that such attacks have been trying to trick them into giving up their seed phrases, prompting Ledger to reiterate:
“Never share the 24 words of your recovery phrase with anyone, even if they are pretending to be a representative of Ledger. Ledger will never ask you for them. Ledger will never contact you via text messages or phone call.”
Also, some Ledger users pointed out that phishing attacks are just one possible threat they may face now that their physical addresses are public. People with a large amount of crypto holdings run the risk of being kidnapped and held until they give up their tokens, as was the case with Singaporean entrepreneur Mark Cheng in January.
Thus, Twitter user Paul Smith said:
“This is a serious breach and I am concerned that people now have our addresses. What’s stopping them from knocking on our doors? Saying sorry, frankly, isn’t enough.”