Addressing the July 2020 e-commerce and marketing data breach — A Message From Ledger’s LeadershipSecurity
On the 14th of July 2020, a researcher participating in our bounty program made us aware of a potential data breach on the Ledger website. We immediately fixed this breach after receiving the researcher’s report and underwent an internal investigation. A week after patching the breach, we discovered It had been further exploited on the 25th of June 2020, by an unauthorized third party who accessed our e-commerce and marketing database – used to send order confirmations and promotional emails – consisting mostly of email addresses, but with a subset including also contact and order details such as first and last name, postal address, email address and phone number. Your payment information and crypto funds are safe.
To be as transparent as possible, we want to explain what happened. An unauthorized third party had access to a portion of our e-commerce and marketing database through an API Key. The API key has been deactivated and is no longer accessible.
What personal information was involved?
Contact and order details were involved. This is mostly the email address of our customers, approximately 1M addresses. Further to investigating the situation we have also been able to establish that, for a subset of 9500 customers were also exposed, such as first and last name, postal address, phone number or ordered products. Due to the scope of this breach and our commitment to our customers, we have decided to inform all of our customers about this situation.
Those 9500 customers whose detailed personal information are exposed will receive a dedicated email today to share more details.
Regarding your ecommerce data, no payment information, no credentials (passwords), were concerned by this data breach. It solely affected our customers’ contact details.
This data breach has no link and no impact whatsoever with our hardware wallets nor Ledger Live security and your crypto assets, which are safe and have never been in peril.You are the only one in control and able to access this information.
What we we have done and what we are doing
As the issue was limited to ecommerce and marketing contact information and we were able to fix it immediately, we took the time to do a detailed internal investigation with third party experts before warning our community.
On the 17th of July, we notified the CNIL, the French Data Protection Authority which ensures that data privacy law is applied to the collection, storage, and use of personal data. On the 21st of July, we partnered with Orange Cyberdefense to assess the potential damages of the data breach and identify potential data breaches.
After a thorough investigation by our security team and Orange Cyberdefense, we can conclude the ecommerce and marketing database has been breached. By the time of this posting, all affected customers will have received an email with this update.
We are actively monitoring for evidence of the database being sold on the internet, and have found none thus far. We also performed an internal penetration testing and we are pushing forward the external penetration testing that was originally planned for September.
We are extending to ecommerce the scope of our security and organisational program, originally focusing on our Products (HW & Vault). We are taking steps towards meeting the requirements listed in ISO 27001.
We are filing a formal complaint with authorities to fully investigate the situation.
To maximize the privacy of our customers, Ledger Live, the companion app for your Nano, which does not retain any information about our clients, will become the main point of contact for information on new product developments as well as our social media accounts: Twitter, Facebook and LinkedIn.
What you can do
We recommend you exercise caution — always be mindful of phishing attempts by malicious scammers. To put it simply, Ledger will never ask you for the 24 words of your recovery phrase. If you receive an email that looks like it came from Ledger asking for your 24 words, you should definitely consider it a phishing attempt.
Furthermore, while we do all we can, we suggest you visit Ledger Academy security section to educate yourself on general security principles and more precisely our article about phishing attacks.
We are extremely regretful for this incident. We take privacy very seriously, we discovered this issue thanks to our own bug bounty program, we fixed it immediately. But regardless of all what we did to avoid and fix this situation, we sincerely apologize for the inconvenience that this matter may cause you.
If you have any questions, you can read our FAQ, and for any additional information, you can directly contact our customer support.