Anyone who invests in cryptocurrencies such as Bitcoin , Chainlink or Ethereum has to deal with suitable storage options for their coins at a certain point in time. In addition to the often used devices from the manufacturer Trezor, there are in particular the devices from Ledger, which have a large fan base. So far, these devices have been blameless and sometimes received top marks. But as the French company announced, attackers used a vulnerability to steal millions of customer data. What does this mean for users?
Companies typically invest large amounts in ethical hackers to identify potential security gaps in their own IT. Ledger has also announced a reward for hackers who identify such a gap. Such a hole was identified by a user on July 14, 2020, the company said. In the specific case, there was a possible data breach on the Ledger website.
As the company has now announced, this vulnerability was remedied immediately after it was identified and then analyzed in detail as part of an internal investigation. Nonetheless, Ledger found that this vulnerability was exploited by an attacker prior to the June 25, 2020 patch. This is said to have gained access to the e-commerce and marketing database.
The attacker was given access to the marketing database, which is used in particular to send order confirmations, advertising messages, and to save contact and email addresses. Accordingly, the attackers now have access to user data such as name, address, email address and telephone number. In contrast, the payment information was not on the affected server, so all account information is considered secure.
For reasons of transparency, Ledger immediately decided to publish the attack. An important part of the public statement revolves around the question of why this attack could have taken place. Basically, an API key to the e-commerce and marketing database represents a security vulnerability that was exploited by the attackers. In the meantime, the operators have been able to close this gap and thus provide additional protection in the system.
What personal information has the attacker obtained from Ledger?
Basically, the attackers got their order and contact details. The focus is on the customer's email addresses. According to official information from Ledger, around one million customer addresses could be affected.
Information such as postal address, telephone number and orders were also obtained from around 9,500 customers. For security reasons, Ledger has decided to inform all customers about the vulnerability. The particularly severely affected users should also receive additional information including specific details. The attack only includes personal contact information. Sensitive payment data and passwords are not affected.
Ledger further notes that the attack has no effect on the Ledger Nano Wallets . Ledger Live and investor assets are still safe and have never been in danger. Since the private key is never in the company's data, the user data is particularly secure and solely the responsibility of the end user.
What measures has Ledger taken?
After the vulnerability became known, Ledger immediately closed it. Since it is only a matter of contact data for the users, the company also decided to conduct internal investigations. Ledger engaged external third parties in the course of the investigations, who dealt closely with the attack. The information to the users only followed after the completion of the investigations.
A researcher participating in our bounty program made us aware of a potential data breach in our marketing database.
We immediately investigated and fixed it.
Your payment information and crypto funds are safe.
More details: https://t.co/dpnI2tdfmO
– Ledger (@Ledger) July 29, 2020
Ledger has also decided to involve the French Data Protection Authority (CNIL). This is to ensure that the regulations of the EU GDPR apply to the storage and use of customer data. The company also partnered with Orange Cybersecurity on July 21 to assess the damage to the data breach and identify data breaches.
As part of the investigation, Orange Cyberdefense and the security team determined that only the areas mentioned above were affected. The team is currently looking for information on how to market customer data on the Internet – so far there are no official information.
Ledger also decided to expand the security and organizational program, which originally focused on the products, to include electronic commerce. There is also a formal complaint to the responsible authorities to speed up the clarification.
Ultimately, Ledger Live is designed to help increase user privacy. This app, which acts as a companion app for the Nano, is to become the new main contact point for information and product developments.
The Blockchainwelt newsletter
Find out all the latest news from the blockchain world in a timely and convenient manner by email to your mailbox!
Guaranteed free & without spam!
What can the affected users do now?
In the first step, affected users should above all do one thing, act carefully. There is a good chance that attackers will start phishing attempts. Accordingly, all those affected should familiarize themselves a little more closely with the identification of face emails.
If users receive dubious requests asking for the 24-word recovery promise, then there should be no response.
Ledger also advises that users visit the security section of the Ledger Academy to learn the general security principles. In addition, Ledger officially apologizes to the users and hopes that a bug bounty program will help them better identify these risks. Customer support is still available as a contact for questions.
Conclusion: Attack on Ledger is a debacle for the wallet manufacturer
The attack on Ledger is a disaster for the company. In the long term, the attack could affect customer confidence. But the current situation is not only a challenge from Ledger's point of view. Rather, investors now have to expose themselves to an increased risk. After all, attackers have access to the email data and can therefore start phishing attacks.
The official apology and the offensive investigation of the error are the first sensible steps to regain the trust of customers. The bounty programs are also useful to increase the general security of the platform.
In my view, the actions of the company can be rated very well. The installation of a committee of inquiry is a good step to identify vulnerabilities. In addition, other programs are designed to help ensure that such errors simply no longer occur.