The hacker who breached hardware wallet provider Ledger’s marketing database earlier this year has disclosed personal information about thousands of users, leading many to threaten the company with a class action lawsuit.
According to a tweet from Alon Gal of network security firm Hudson Rock, a hacker allegedly behind the personal data breach of Ledger’s hardware wallet in June made all the information they have obtained is available online. This reportedly includes 1,075,382 email addresses of users subscribed to the Ledger newsletter and 272,853 hardware wallets orders with information such as email addresses, physical addresses, and phone numbers.
WARNING: Threat actor just dumped @Global‘s database that has been circling for a few months.
The database contains information such as emails, physical addresses, phone numbers and more information about 272,000 Ledger buyers and emails from 1,000,000 additional users. pic.twitter.com/Sv9cQwhuNy
– Alon Gal (Under the Breach) (@UnderTheBreach) December 20, 2020
“This leak poses a great risk to the people affected by it,” said Gal. “Individuals who have purchased a Ledger typically have a high net worth in cryptocurrencies and will now be more exposed to cyberbullying and physical harassment than before.”
Commenting on Twitter, Ledger said Early Signs appeared to confirm that the information released came from the June data breach has compromised the personal data of many of its users. After news of the hack, many Ledger users indicated that they were the target of phishing attempts. Some said they received convincing-looking emails asking them to download a new version of the Ledger software.
“We are constantly working with law enforcement to prosecute hackers and stop these scammers,” said General ledger. “We have removed more than 170 phishing websites since the original breach.”
After months of reports of phishing attacks, many users were apparently unhappy with Ledger’s response.
“If lawyers want to start a class action lawsuit, many of us will certainly jump on board,” said Twitter user Ryan Olah. “This has now gotten 10,000x worse.”
I will be taking legal action against you very soon.
– a friendly duck. HODL (@DuckHodl) December 20, 2020
While someone’s tokens are most likely not at risk of being siphoned from Ledger wallets, users could potentially put their own money at risk by falling for such phishing attempts sent to the affected emails or phone numbers. Many have reported that attacks have tried to deceive them to give up their germs, questions Ledger to repeat:
“Never share the 24 words of your recovery phrase with anyone, even if they impersonate a Ledger representative. Ledger will never ask you for it. Ledger will never contact you via text or phone call.”
However, some Ledger users pointed out that phishing attacks are just one potential threat they can face now that their physical addresses are public. People with a large number of crypto holdings run it risk of being kidnapped and detained until they give up their tokens, as was the case with Singaporean entrepreneur Mark Cheng in January.
“This is a serious breach and I am concerned that people now have our addresses”, said Twitter user Paul Smith. What is stopping them from knocking on our door? To be honest, saying sorry isn’t enough. ‘