- >Ledger Hack May Have Unintended Side Effects for Victims
Ledger Hack May Have Unintended Side Effects for Victims
On June 25, an unknown party accessed Ledger’s e-commerce database and stole up to 1 million records. The types of records stolen were names and email addresses. At the time, the attack went unnoticed. It wasn’t until July 14, that a whitehat hacker made the bug known through a bug bounty. At this time, Ledger retroactively noticed the vulnerability had been exploited. Ledger immediately took action, and notified its customers through an email. A much smaller subset of customer data containing physical addresses and phone numbers was also stolen. While no hack is a good hack, losing customer postal addresses may have unintended side effects.
Keegan Francis | Oct 13, 2020
The Implications of Losing Postal Addresses
In the event that the customer’s postal addresses make it into the hands of organized crime, they could face real danger. This is because a couple of things can be assumed about the individuals.
- They bought a ledger hardware wallet
- They are holding a non-zero balance of cryptocurrency
The one way to steal cryptocurrency from a hardware wallet is to access it directly. Hardware wallets are by far the safest way to hold cryptocurrency, as they are not connected to the internet. This fact significantly reduces your chances of having your cryptocurrency stolen. Unless someone knows where you and your device are, they are unable to steal your cryptocurrency.
This is precisely the problem with having customer postal information and phone numbers stolen. These two items are the ingredients for a wider scale attack on the subset of ledger users. With the phone number, attackers may try to break into exchanges or services that require 2FA (Two factors authentication). With the postal address, attackers may visit the homes of these individuals directly, and steal their cryptocurrency.
What Should Ledger Do?
In this situation, Ledger should notify the individuals whose postal addresses have been stolen. Just like they notified everyone who was compromised in the e-commerce hack, they should infuse greater awareness within the individuals who face greater risk. The second thing that should be done is notify the authorities, and make sure they are aware that this vulnerability could lead to additional action taken by the attackers. Ledger is based in France, and so they have begun to take the corrective action that is suggested above. On July 17, Ledger filed a report with France’s Data Protection Authority. On July 21, Ledger began working with Orange Cyberdefense to determine the best course of action for how to deal with this data breach.
In any reasonable persons estimation these are the best two steps that could have been taken by Ledger. It is always embarrassing when a company selling a secure device gets hacked. The very reputation of the company hinges on the belief that they can implement security properly across their platform. That being said, hackers are very intelligent, and crafty individuals. Hacks happen to some of the biggest, and best companies in the world. At the very least, when a hack does happen, we expect that the company owns up to it. We expect that they take the necessary actions required to remedy the situation and prevent unintended side effects.