A supposed Shopify database hack that is said to have exposed the names and addresses of tens of thousands of Ledger, Trezor, and KeepKey hardware wallets has been denied by the companies. The alleged breach was ‘revealed’ on Sunday when a data breach monitoring service posted on Twitter that a Shopify customer database had been compromised, which had allowed hackers to access the personal details of over 72,000 of the manufacturers’ customers. The companies in question have since denied that the databases are genuine, but the issue raises an uncomfortable truth about hardware wallets that many may not want to consider.
Both of which obtained from a @Shopify exploit.
(suggesting there are many more underground leaks).
— Under the Breach (@underthebreach) May 24, 2020
72,000 Customer Records For Sale
The alleged Shopify database hack was suggested by Under the Breach, a cybercrime investigation and insight service, who posted images that they said showed that hacker had accessed names, addresses, and phone numbers of over 41,000 Ledger customers, over 21,000 Trezor customers, and 10,000 KeepKey customers, which he then began selling on the dark web. Alongside this, the hacker was also supposed to have obtained the full customer database for investing site Bank to the Future, which he was also selling.
This revelation naturally concerned a great many people, with one respondent saying that it would lead to customers having “a huge target on your back”. However, it quickly emerged that things might not be as dire as predicted. Ledger were first in, responding that they had doubts about the authenticity of the databases:
Rumors pretend our Shopify database has been hacked through a Shopify exploit. Our ecommerce team is currently checking these allegations by analyzing the so-called hacked db, and so far it doesn’t match our real db. We continue investigations and are taking the matter seriously.
— Ledger (@Ledger) May 24, 2020
A few hours later Trezor also responded, this time with an even more emphatic denial:
There are rumors spreading that our eshop database has been hacked thru a Shopify exploit. Our eshop does not use Shopify, but we are nonetheless investigating the situation. We’ve been also routinely purging old customer records from the database to minimize the possible impact.
— Trezor (@Trezor) May 24, 2020
KeepKey are yet to respond to the leak, although the fact that Ledger can’t match the records shown in the images to their actual records and Trezor doesn’t even use Shopify would seem to put the matter, thankfully, to bed.
Genuine Breach Could Damage Crypto
Even if the Shopify database hack turns out to be fake, it acts as a sobering reminder that for all the benefits that hardware crypto wallets bring, namely the ability to look after one’s own tokens and have full access over them, it does introduce an element of third-party trust into the matter. A genuine hack of a customer database belonging to your hardware wallet provider immediately circumnavigates all the security benefits associated with owning one, and puts you in physical danger.
Hardware wallets remain the safest option for storing cryptocurrency, and will be a key player in accelerating their growth, but a large scale hack on a hardware wallet provider’s user database could prove crippling for the company involved and could be a major backwards step in adoption.