Ledger Identifies 20,000 More Victims From Shopify Breach

Reading Time: 2 minutes
  • Ledger has confirmed a Shopify data breach that has added 20,000 victims to the 1.29 million known about from Ledger’s own hack
  • The Shopify hack was revealed in May but dismissed as “rumors” by the company
  • Two Shopify employees stole and sold customer data from over 100 companies

Cryptocurrency hardware wallet maker Ledger has confirmed a second and more potent data breach involving ecommerce service provider Shopify which takes the number of victims past 1.29 million. The shocking news comes seven months after Ledger dismissed as “rumours” the suggestion that Shopify customer data had been leaked and just three weeks after their own hack which saw the personal details of more than 272,000 published online.

Shopify’s Unwelcome Christmas Present to Ledger

Ledger revealed the news to customers through an email yesterday, announcing that Shopify had confirmed on December 23 that Ledger was among some 200 companies targeted by two rogue Shopify employees, who illegally downloaded their customer data for their own gain:

On December 23, 2020, Shopify, our e-commerce service provider, informed Ledger of an incident involving merchant data. Rogue agent(s) of their customer support team obtained Ledger customer transactional records in April and June 2020. This is related to the incident reported by Shopify in September 2020, which concerns more than 200 merchants, but until December 21, 2020, Shopify had not identified this affected Ledger as well.

In a series of tweets to support the email, Ledger revealed that the two leaked customer databases were “93% similar”, although the Shopify database contained 20,000 more customers whose full details had been exposed. This means that these people have been assuming for three weeks that they had not had their personal information exposed, when in fact they had.

Under the Breach Vindicated

Ledger’s confirmation that there was indeed a Shopify data breach vindicates the Twitter user who first uncovered the data dump back in May – cybercrime investigation and insight service Under The Breach:

At the time, Ledger dismissed this alleged data breach as “rumors”, adding that the published database “doesn’t match our real db (database)”. These dismissals look even worse now we know that it in fact contained 20,000 more individuals than their own database did.

For those affected by the two data breaches, we have put together a small guide as to what steps to take next.