- The database of Ledger hack victims, which includes the physical addresses of over 250,000 customers, has been publicly dumped on a hacker forum
- The Ledger hack took place in June with the details selling for six figures
- Ledger acknowledged that the information was genuine and could now face lawsuits
The Ledger hack database containing the personal details of over 250,000 customers and over a million newsletter subscribers’ email addresses has been publicly leaked months after it first emerged on the dark web. The list had been trading hands for huge sums ever since its emergence earlier in the year, resulting in affected users being inundated with emails, phone calls, and SMS messages, but the list going public brings with it a whole new level of risk for affected customers.
Ledger Hack Details Freely Available
News of the Ledger hack public dump came via data breach monitoring site Under the Breach, who Tweeted about it late Sunday:
ALERT: Threat actor just dumped @Ledger‘s database which have been circling around for the past few months.
The database contains information such as Emails, Physical Addresses, Phone numbers and more information on over 250,000 Ledger buyers and Emails of 1,000,000 additional users. pic.twitter.com/Sv9cQwhuNy
— Alon Gal (Under the Breach) (@UnderTheBreach) December 20, 2020
Data breach alert site ‘have i been pwned?’ picked up the news and added it to their database, altering subscribers to the release of their personal details, which included the physical addresses, email addresses, and phone numbers of Ledger website customers. Ledger confirmed that the data was real in a tweet of their own which only addressed the potential cyber-attacks and not the physical attacks that users are suddenly now vulnerable to:
Today we were alerted to the dump of the contents of a Ledger customer database on Raidforum. We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020.
— Ledger (@Ledger) December 20, 2020
In the tweet thread, Ledger said that it was a “massive understatement to say we sincerely regret this situation” and that they were working with French authorities to try and track down the perpetrators. This was scant relief for affected users:
No you are under reacting. Someone could easily get murdered or kidnapped as a result of this info
— rand0mguest2 (@Rand0mGuest2) December 21, 2020
How the hell is a company associated with the blockchain space unable to keep our data secure? The entire point of the industry you serve is privacy and and security and you failed at both.
Class action lawsuit inbound….
— Janus (@PinnaclePrimate) December 20, 2020
Security Advice Offered by Crypto OGs
The actual Ledger hack took place in June but was only realized in July when a bug bounty hunter discovered that an “unauthorized third party” had managed to breach the company’s cybersecurity defenses and made off with the prized data. The database has been exchanging hands for six figure sums ever since, according to replies on the Raidforums site, with the public dump wiping out any money making potential from the data.
Ledger hack victims were quick to seek advice on how to protect themselves going forward, with cryptocurrency OG @notsofast giving a great rundown of next steps to take if you are in the list:
Steps you can take if you find your full name, address, and main phone number in the @Ledger data dump:
1. Immediately get a new phone number as your main. Use a different email address than the compromised one to let people know. Sorry, this is arduous.
— notsofast (@notsofast) December 20, 2020
Talk of a class action lawsuit against Ledger had been rumbling ever since news broke in July, but with the list now made public the chances of legal action have intensified.