According to reports, the data in question was stolen during a hack of Ledger’s e-commerce database back in June.
ALERT: Threat actor just dumped @Ledger's database which have been circling around for the past few months. The database contains information such as Emails, Physical Addresses, Phone numbers and more information on 272,000 Ledger buyers and Emails of 1,000,000 additional users. pic.twitter.com/Sv9cQwhuNy — Alon Gal (Under the Breach) (@UnderTheBreach) December 20, 2020
While Ledger acknowledged that its database had been compromised as a result of this hack, the company had claimed that only 9,500 phone numbers, postal addresses, and details of product purchases were exposed during the hack in June. Despite these claims, however, it seems that the actual volume of leaked data is much more significant than what Ledger is claiming.
The company said,
“It is a massive understatement to say we sincerely regret this situation. We take privacy extremely seriously.”
Reportedly, Ledger is working with law enforcement agencies to prosecute these hackers, with over 170 phishing websites taken down since the original data breach.
Although no financial information was leaked, users were concerned that this publicly availably leaked data posed a greater threat than just phishing attacks. As one user stated,
“Individuals who purchased a Ledger tend to have a high net worth in cryptocurrencies and will now be subject to both cyber harassments as well as physical harassments on a larger scale than experienced before.”
Another called the company out on Twitter, calling the leak unforgivable and stating,
“Cut off business with them, only way companies in this space are gonna learn to take our physical security seriously.”
In fact, the community outrage was so significant that some even threatened legal action.
The aforementioned episode highlights the dangers of storing information on a single server, one that is susceptible to hacks. According to some speculations, the new proposed Treasury Rule change that forces more KYC/AML upon users will only create more vulnerabilities for cyber-attackers to take advantage of.