Hardware wallet maker Ledger was hacked in June. Hackers gained access to a million emails and documents, and users’ financial data were not compromised.
Ledger announced that its marketing database was compromised last month, leading to the leak of a million emails and some personal documents. The attack did not affect the security of the wallets.
According to an article in the Ledger blog, on July 14, a researcher participating in the company’s product vulnerability bounty program reported a possible data breach. The company immediately eliminated the vulnerability and conducted an internal investigation. The security breach occurred three weeks earlier, on June 25th. A third party tool has infiltrated the marketing and e-commerce database using an API key.
The attack was aimed only at the marketing database, hackers could not get access to mnemonic phrases of users or private keys of wallets. All financial information of the company was also not affected.
“Only contact information and order details were compromised. These are mainly the email addresses of about one million of our clients. During the investigation, we were also able to establish that the names and surnames, postal addresses, telephone numbers and information about the ordered products were compromised, ”the company said.
In a statement to customers, Ledger CEO Pascal Gauthier said the company was “extremely sorry” about the incident. He warned users to be wary of phishing attempts:
“We take privacy very seriously. We discovered this vulnerability through our vulnerability search bounty program and fixed it right away. Regardless of everything we have done to avoid the incident and remedy the situation, we sincerely apologize for the inconvenience this may cause you. “
Ledger said the French Data Protection Authority (CNIL) was notified of the incident on July 16. The firm is also working with Orange Cyberdefense (OCD) to track possible online sales of the database. All affected users were notified of the issue today and the investigation is ongoing.
Recall that in May, the hacker put up for sale the data allegedly stolen by him from buyers of three popular hardware wallets – Trezor, Ledger and KeepKey. Then Ledger issued a statement saying that the company “is serious about this issue and is investigating possible vulnerabilities.”