As you probably know, Ledger was a victim of an e-commerce data breach during the summer. A significant amount of our users’ data was leaked.
On December 20th we were alerted of the dump of the contents of a Ledger customer database on Raidforum (a hackers’ community board). Consequently, there are ongoing new waves of phishing attacks threatening our users.
To the users affected by the breach, we know what you are going through, and as frightening as it may be, we urge you not to panic. We deeply regret this situation, and have put in place procedures to face it.
Here are 6 ways to face the data breach:
1- Stay calm
Scammers play on your fear to make you act rashly, stay calm, don’t panic, and never act under pressure.
When you react stressfully, you can make mistakes. So if you are changing your password, email or backing up your device, take your time to make sure that you are doing everything correctly.
Most importantly, your funds are safe, as long as they are stored offline. Hardware wallets are the most secure way to store your assets. Transferring your funds out to an exchange, or a software wallet, will make you more vulnerable.
Ledger products provide the best security for your crypto, the data breach under no circumstances affects the security of your device. All you need to do is make sure that your Nano and recovery phrase are kept in separate, safe locations.
2- Never share your 24 words
As previously mentioned, this data breach is not linked to our hardware wallets nor Ledger Live security, so your crypto assets are safe. Therefore, attackers cannot steal your sensitive information like recovery phrases and private keys unless you give it to them.
You should know that you are the only one in control of this information and its access. Please exercise caution, always be mindful of phishing attempts by malicious scammers. Do not give your 24 words to anyone. We will never ask you for the 24 words of your recovery phrase, not even in Ledger Live. Ledger will never contact you via text messages or phone call.
We invite you to familiarize yourself with the anatomy of these ongoing phishing campaigns and report any attempt you experience on this dedicated page.
Ledger has sent two different emails detailing the implications of the data breach to those concerned. The first was addressed to the one million users who only got their emails leaked, the second to the remaining users with more compromised data.
If you think that you are affected and did not receive an email from us, please head to https://haveibeenpwned.com/ to find out if you were compromised elsewhere and take measures if necessary.
3- Strengthen your access security
If your email address has been compromised in the breach, we recommend you change the associated password. When choosing a new password, use multiple types of characters, capitalization and symbols to enhance security.
Moreover, we strongly advise you to add a two-factor authentication, also known as 2FA. This method grants you access to your email or any other platform only after successfully presenting two pieces of evidence (your initial password plus another factor) to an authentication mechanism. This can be a code sent via SMS, a notification on your mobile device, or a randomly generated password via a dedicated app.
We do not recommend you use 2FA via SMS because of the sim swapping risk it entails. Use applications such as Google Authenticator, FreeOTP (an open source solution) or a physical key. You can utilize your Ledger device to secure your accounts with a 2FA. Here is a complete tutorial on how to do it.
Finally, for maximum security you can consider changing your email address, all while applying the above-mentioned measures.
4- Never pay ransom
Sadly, scammers have reached a new low, we were appalled to find out that some of you are being personally threatened. Being a victim of physical threats can be dreadful and stressful.
But please know that, scammers will try to make the least possible effort to steal money. Phishing attacks enable them to easily target a high number of customers without the risks associated to physical contact. The database has been out since June and no-one has ever reported any attack of this sort.
If you store large amounts of cryptocurrency on your device, we advise you to keep it away from your home in a secure and hardly accessible location. Just as you wouldn’t keep millions in cash at home.
We urge you to never pay any ransom. If you fear for your physical safety and believe you are in danger, make sure to contact your local authorities right away.
5- Plausible deniability
In case you are worried of being subjected to extortion, you can add another layer of protection and resilience to your 24-words recovery phrase by adding a second back up (also called passphrase) on your Ledger device.
This results in having two recovery phrases: one will unlock the normal set of accounts, the second one will generate a new seed and will unlock an alternative set of accounts with another set of private keys and addresses, as explained here.
Therefore, if ever you were asked under pressure to “open and empty your hardware wallet”, you could use the first code, showing the account with minimal assets. Therefore, limiting financial damage on your side.
6- Distributed backups
To avoid being subject to the horror of a home jacking, or if you just can’t find a place secure enough for your backup, you may want to have the possibility of splitting your backup in different locations. You could split your 24 words in three groups of 8 and distribute them among three places, but then you would increase the risk of loss or destruction of your backup (if one piece goes missing, it’s game over).
A better alternative would be to split your backup in three, but only needing access to two pieces to recover access.
This is quite low tech and easy to understand.
Let’s say your recovery phrase is “A B C” (only three words are necessary in our example). Then you create three pieces of papers: “A B _”, “A _ C” and “_ B C”. By taking any two pieces, you are sure to recover the full “A B C” phrase.
You can follow this online guide for more information about how to do it for your 24 words recovery phrase.
Last but not least
This is a difficult time for us all. To those of you who stood by us, we thank you. And to every Ledger customer, please trust that we are working around the clock to make sure this never happens again, we promise to do everything possible to be worthy of your trust.
We are in this together, and Ledger will come out of this to provide you with a better, stronger, and more secure experience.