A hacker has leaked lists of email, contact numbers and personal addresses of cryptocurrency wallet owners stolen from Ledger on a hacking forum publicly.
Ledger is a hardware wallet that is meant to store, manage, sell and transact cryptocurrencies. The funds being held by Ledger wallets are using a 24-word recovery key phrase security and another optional secret passphrase that is only known by the owner of the account.
Ledger has suffered a data breach last June 2020 after threat actors exploited a vulnerability in their website, allowing the hackers to access customer’s personally identifiable information (PII).
Until today, the hacker who took part in the breach has shared a compressed file archive containing two text files. One includes an all-emails list, and the other contains customer’s personal data that is believed to have been stolen from the previous breach.
The text file list contains 1,075,382 email addresses of people who have subscribed to Ledger’s newsletter. However, the other text file contains 272,853 lists of people with much more sensitive customer information. This includes full names, home addresses, and phone contact numbers, which is believed to be people who purchased a Ledger hardware device.
We have confirmed the leaked Ledger customer’s data as accurate, and furthermore, Ledger has confirmed the database breach with a twit.
This data leak puts customers at significant risk as the exposed end-users and customers can get targeted phishing attacks. Other hackers and threat actors can exploit their contact info and email address, resulting in fraud and financial loss.
Ledger users have already been receiving spam and phishing emails since October 2020 that pretends to be data breach disclosure message from the CEO of Ledger. The phishing emails give the recipients instructions to download an updated version of Ledger Live to help secure their cryptocurrency assets by changing to a new security PIN code.
If a user followed the instructions to download and install the fake Ledger Live installer, they would get prompts asking to enter the 24-word secret recovery key phrase. Their account’s passphrase will then be sent directly to the fraudsters who can then use the security info to steal their cryptocurrency assets.
The leaked email address list will be targeted by phishing scammers using social engineering tactics to convince and trick users into getting sensitive info such as security codes.
What can Ledger customers do about the situation?
Anyone who suspects their email address and other personal info got leaked are advised to never enter their secret passphrase, passwords and security codes into any app or website page. These codes should only be used to access a Ledger hardware device that the customer is trying to recover.
If the account owner received a postal mail, do not act upon or visit any website mentioned in the letters. Users are advised to contact the Ledger support to confirm the post mail to avoid getting scammed.
On phone and contact numbers, hackers can attempt to perform number transfer or SIM swap attacks on the mobile account. They can contact their cellular providers and make sure to disable or block future number transfer requests.