While the security of Ledger products is unparalleled – Ledger Nano products are the only hardware wallets independently certified on the market – and remains uncompromised, criminals are attacking Ledger customers with phishing attempts using different attack types. Recently, Shopify discovered Ledger customers were impacted by the Shopify data theft disclosed by Shopify here, and notified Ledger.
Focused adversaries will always try different angles to access Ledger data and we must continue to strengthen our security posture. This is an industry-wide problem we need to fight together, and Ledger is doubling-down on our commitment to do our part in this fight.
In this blog post we are updating our users on our ongoing actions to strengthen our security practices and pursue justice in our 2020 data theft:
- We are announcing changes in the way Ledger will handle customer data: Our goal is to completely delete your personal data such as name, address, and phone number as soon as possible. We are challenging ourselves and third party providers to keep this data for as short a period of time as necessary to fulfill our obligations to our customers (such as fulfilling your order) and the law (such as accounting and legal obligations). Data which needs to be kept will be put in a further segregated environment.
- We will implement a messaging model where proactive important security and technical information will be conveyed through Ledger Live. Email and social media will ONLY be used for broadcasting product messages and announcements.
- Ledger is committing numerous additional resources to identifying and prosecuting those responsible for the attacks on Ledger and Ledger customers including a bounty fund of 10 BTC for information leading to successful arrest and prosecution. We hope other companies will join the bounty program and help make the crypto community a safer place.
Security reminder: NEVER give your 24 words to ANYONE. Ledger will NEVER ask you for your 24 words. If someone posing as Ledger asks for your 24 words, that is a criminal, not Ledger. The ONLY place where the 24 words of your recovery seed must be input is in your Ledger Nano – NEVER IN LEDGER LIVE.
In this post we will recap the events related to our data breach in the most transparent way possible. The entire Ledger team is working extremely hard to solve these challenges. This post is long but we want to give you as much information as possible regarding the direction Ledger is taking to keep your data safe and catch and prosecute the criminals perpetrating these crimes.
1- What happened
First, to recap the situation briefly: On July 14th, 2020 a researcher contacted us through our bounty program to inform us of a data breach on our e-commerce and marketing database. We immediately fixed the data breach and launched internal investigations. We discovered a malicious attacker had gained unauthorized access to our e-commerce and marketing database via a third party’s API key. Through forensics conducted by Ledger as well as third party forensics company Orange Cyberdefense we were able to identify that more than one million email addresses and approximately 9500 customer records including name, address, product(s) ordered and phone number were also stolen. We immediately (July 29th, 2020) notified our customers and shared the forensic information with the relevant authorities.
On December 20th, 2020 the full contents of the stolen databases were made publicly available in a forum. Once we saw these full databases, we could see that approximately 272,000 customer records including name, address and phone number were stolen in addition to the more than 1M email addresses. As soon as this was discovered we warned affected customers via email (December 21st, 2020).
Now, we have new information to share: on December 23rd, 2020 we received a notification from our e-commerce service provider, Shopify, regarding an incident involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported customer transactional records in April and June 2020. According to Shopify, this is related to the incident reported September 2020, which concerns more than 200 merchants, but until December 21st, 2020, Shopify had not discovered that Ledger was also targeted in this attack. Shopify tells us they engaged digital forensics experts and counsel to continue their investigation on the matter and have reported the matter to law enforcement in both Canada and the USA.
Along with forensic firm Orange Cyberdefense we were able to establish that it affects approximately 292,000 customers. While the database is 93% similar to those exposed in the previous attack there were approximately 20,000 new customer records including, email, name, postal address, product(s) ordered and phone number included in this breach.
If you purchased a Ledger product after the end of June, 2020, or if you purchased your product outside of Ledger.com, your data was not exposed in these incidents.
For answers to frequently asked questions on both these attacks please visit the FAQ. To educate yourself on the kinds of phishing attacks being perpetrated, or to report a phishing attack to our team, see this page.
Throughout these attacks, Ledger hardware wallets remain uncompromised and your cryptocurrency secure SO LONG AS YOU NEVER SHARE YOUR 24 WORDS WITH ANYONE (especially someone pretending to be Ledger — Ledger will never ask you for this information).
2- Actions taken by Ledger
Concerning the data breach discovered on July 14th
We patched the breach on July 14th, 2020. On July 17th, 2020 we notified the French Data Protection Authority. We began conducting forensics with Orange Cyberdefense on July 20th, 2020. It was necessary and prudent to complete the investigation with Orange Cyberdefense and gather as many facts as possible before communicating the data breach to our customers.
As soon as we had the final report we sent an email to our entire email database on July 29th, 2020. We informed the media about the situation via a press release the same day. We filed a complaint with the French public prosecutor on August 5th, 2020.
Concerning the phishing campaigns against our customers
In recent months we’ve seen high activity of phishing attacks on our customers. We have communicated heavily to warn our customers about these attacks via email, on our Website, within Ledger Live, and on Twitter, Reddit and other third-party platforms. We sent an email to our entire database regarding these phishing attempts on October 22nd, 2020. We partnered with Webdrone, a company specialized in business intelligence and cybercrime, to identify the author(s) of phishing websites. We have an on-going program with Corsearch to shutdown phishing websites expeditiously through registrars and to date have shut down 216 sites and counting.
Our internal brand protection team has been exclusively dedicated to the phishing attacks since they started. Corsearch is collaborating with international investigative organisations on our behalf. On December 16th, 2020 we launched a specific page sharing the anatomy of these phishing attacks to help you identify them and report any new attacks you receive.
We are working with Chainalysis and other organisations to track the cryptocurrency wallets used by the scammers. If/when discovered, we will report them to law enforcement for action (for example to freeze the crypto assets should they land on exchanges).
We continue to work with several private investigators to find and track the individuals responsible for these attacks. All clues and information gathered are shared with the relevant authorities (if you have new information for us, please see the bounty program below). For the phishing campaigns, Ledger has also filed a complaint with the French prosecutor and shares information gathered by Ledger and the investigators on a regular basis.
Due to these incidents, Ledger has experienced an exponential increase in requests for information compared to this time last year. Every communication with our customers is important to us and we want to respond to every one with precise information. To accommodate to this demand we hired more resources in 2020 and are continuing to hire in 2021. We are sincerely sorry if you are experiencing delays with our customer support and we are working hard to answer everyone as quickly as we can. We hope this blog post and the FAQ immediately help you find the answers you are looking for.
Concerning the Shopify data breach
The investigation into the incident involving Shopify is ongoing and we will continue to update you as the situation unfolds. As of today: We notified the French Data Protection Authority on December 26th, 2020. After completing forensics with Orange Cyberdefense we informed all customers affected by this breach via email on January 13th, 2021. We continue to work with Shopify and prosecutors on the case; an investigation is already underway, led by the FBI and the RCMP. Ledger also reported the events to the French Public Prosecutor and filed a complaint against the rogue agent(s). We are continuing to work with Shopify using new internal processes to ensure enhanced security.
3- Next steps
Data breaches and phishing attacks are an industry-wide problem. We continue working on this problem every single day, and today we want to share with you the beginning of our new plan that is aiming to increase the protection of our customers.
FIRST of all, we would prefer not to have your data; your trust is worth much more to us than holding your data. When you order your product directly from Ledger we collect your information so we can ship you your order. Accounting regulations and legal obligations require that we keep e-commerce purchase data for a certain period of time. Still, we are changing the way we handle this data, to go above and beyond GDPR principles and take a best-in-class approach:
- Our goal is to completely delete your personal data such as name, address, and phone number as soon as possible. We are challenging ourselves and third party providers to keep this data for as short a period of time as necessary to fulfill our obligations to our customers (such as fulfilling your order) and the law (such as accounting and legal obligations). Data which needs to be kept will be put in a further segregated environment. For instance, we aim to put your e-commerce order information such as name, address, phone number in a segregated environment three months after the shipping of your product.
- We will reduce the locations at which your personal information is displayed. For example, we will be deleting the name, address, and phone number from the order confirmation emails we send to you so this data does not pass through our ecommerce email provider.
- We will implement a messaging model where proactive important security and technical information will be solely conveyed through Ledger Live. Email and social media will ONLY be used for broadcasting product messages and announcements.
- We will be conducting a detailed re-assessment of all our suppliers and partners to ensure that they continue to meet the highest standards.
SECOND, thefts and attacks such as this cannot go uninvestigated or unprosecuted. For cryptocurrency to thrive there must be a price to pay for committing cryptocurrency theft. We continue to work with law enforcement as well as private investigators on these cases, and we are adding more firepower:
- We are hiring additional private investigation capacity, adding experience and different approaches to finding those responsible for these data thefts. We will continue to work in concert with global law enforcement to find, arrest, and prosecute those responsible wherever possible.
- We are creating a bounty for new information, obtained legally, leading to the identification, arrest and successful prosecution of those responsible for attacks against Ledger and our customers. Ledger has seeded a wallet with 10 BTC (address: bc1qappeev2uut3md3622wtmxllwtn7ctqdhwv0xsc) as the initial bounty reserve. This will be disbursed at the discretion of Ledger and will consider factors such as – has the information been obtained legally? Is it new? How substantial is the information and how far will it help progress the investigation and result in a direct ability to prosecute individual(s)? Has that prosecution been successful? More generally, it will be subject to the terms of our bounty program available here.
- We are announcing our intention to collaborate with others in the industry on this initiative. We are reaching out to other companies and individuals in the space about ongoing funding of this bounty program for crimes committed against the crypto community. CEOs of other companies in the crypto space, if you would like to join us on this project, please get in touch ASAP.
We are deeply sorry that these incidents occurred and for any pain or stress they’ve caused our customers. Keeping you secure is Ledger’s mission and we take these incidents extremely seriously both personally and professionally. We will soon release a technical solution that will remove the 24 words as the single pillar of the security of our hardware wallets and will open the door to funds insurance for individual customers. These attacks have only strengthened our resolve to build and release products that keep you and your crypto safe. We have exciting, innovative and secure products and services to announce in 2021. Ledger remains committed to building the most secure products and protecting the crypto ecosystem. Period.
PLEASE take this moment as a reminder to be vigilant and take every possible step to protect yourself. As the value of your crypto increases and more people join the ecosystem, this will continue to be an area of focus. Crypto Casey does a great job of summarizing the situation and how to protect yourself in this video and podcast. Please take all steps to keep yourself and your crypto safe.
We are all here for the same reason: we are long-time believers in the value and future of cryptocurrency and digital assets. We at Ledger have learned very important lessons and will continue to work hard to ensure your trust is well-placed in us. We are humbled. We are becoming stronger and more resilient as a result.
Pascal, Ian, Antoine, Matt, Charles.