Ledger Data Breaches – a Timeline

Reading Time: 2 minutes
  • Ledger fell victim to two data breaches in 2020
  • Ledger itself was hacked while ecommerce provider Shopify was also targeted
  • We break down the two Ledger data breaches and what has happened with them

Yesterday’s announcement by Ledger that it had been made aware of 20,000 more victims of a data breach that took place early last year has added confusion to what was already a pretty confusing scenario regarding the hardware wallet maker. There are now two different Ledger data breaches in play from 2020, so we have put together a timeline to show exactly what has happened with each.

May 24, 2020 – Cybercrime investigation and insight service Under the Breach reports that a hacker has obtained customer details from hundreds of Shopify clients, including Ledger and Trezor.

Ledger denies the leak, reducing it to “rumors spreading” and says that the data from the hack doesn’t match their own records. Trezor says that they don’t use Shopify.

June 25, 2020 – Ledger suffers a hack on its e-commerce and marketing database through a misconfigured API key, with a tranche of customer data stolen. Ledger will not find out about this breach for another month.

July 29, 2020Ledger acknowledges the breach, saying that it was discovered by a bug bounty hunter on July 14. One million customer email addresses were stolen, alongside a subset of 9,500 customers who also saw full names, postal addresses, and telephone numbers stolen.

September 23, 2020 – Shopify admits that two of its customer service representatives stole customer data from over 100 selected clients for personal gain. The clients are not named.

December 20, 2020 – The customer data stolen in the June Ledger breach is dumped unencrypted on a forum. The data dump consists of significantly more user details than previously thought, with 272,000 customers having their names, addresses, and phone numbers leaked, alongside the one million email addresses.

December 23, 2020 – Ledger is informed by Shopify that they were indeed targeted by the rogue customer service representatives in May and that the stolen database includes the full personal and contact details of 20,000 further victims.

January 13, 2021 – Having held onto the data for three weeks, Ledger informs the 292,000 customers whose full personal details were leaked that they are now on a second leaked database.

Ledger in Firefighting Mode

Ledger says it has taken all the steps it can to reduce the chances of further hacks, but the damage has already been done. While the Shopify data breach wasn’t their fault they reacted badly by dismissing what turned out to be a huge security event, while the mismanaged API key that led to their own in-house hack was simply inexcusable.

Once considered the leader in the cryptocurrency hardware wallet space, the Ledger data breaches have led to their reputation suffering potentially irreparable damage, allowing competitors like Trezor to steal a march on them.