Ledger — a company that sells security hardware to customers who want to protect their cryptocurrency — is making headlines with a data breach affecting their client base. While news broke in July of 2020 about a hack on the company’s database, new data illustrates the attack was more malicious than previously thought.
These credentials were made available on an underground hacking forum — Raidforums — where hackers and crackers regularly discuss their exploits and share database dumps. Within the original file were two text-based documents: one with a list of subscribers to the Ledger newsletter; and one containing sensitive data about customers and clients.
While this incident was, technically, a form of identity theft, many felt as though the leak was mediocre. We’re now learning that the sophistication and attack surface of the leak was vastly underestimated by security professionals and Ledger’s internal team.
How Deep Does the Rabbit Hole Go?
The catalyst of the attack rested upon a public-facing error message that gave attackers unrestricted access to Ledger’s database. From here, hackers harvested and stored the internal details of the database into easy-to-share text files. While initial reports suggested the attack was small, here’s what we know so far:
- Over 270,000 private emails, home addresses and phone numbers were exposed
- Over 1-million marketing emails belonging to customers were stolen
- Internal API frameworks and keys were taken
- First and last names of individuals associated with Ledger were posted publicly
While no customer had their finances stolen in the leak, this attack paints a negative shade on the surface of Ledger’s reputation. To make matters worse, Ledger CEO Pascal Gauthier refused to give clients a refund for their hardware devices.
Gauthier believes that instead of issuing refunds to their client base, internal efforts and financial resources should be used to strengthen the security of Ledger’s infrastructure.
As an extension of Gauthier’s beliefs, Ledger has replaced their previous chief information officer. The newly-appointed CIO is, in Gauthier’s eyes, a step in the right direction for Ledger and their client base.
While Pascal may be right in his assessment, many feel the company is not taking identity theft seriously. Even though this attack exposed non-critical information, what about the next time it happens? Should we sit idly by while hackers steal our data and post about it online, or should Ledger take their client’s needs and wants more seriously?