Hacked Ledger database dump could lead to phishing attacks

The customer database includes more than one million addresses that scammers will try to use

Posted on Dec 21, 2020 | ブログ

Ledger customer database has been leaked

A database including more than a million email addresses and other personal information of customers from the hardware wallet provider Ledger has been published on the web and it is publicly available for download. The database contains not only email addresses, but also full names, physical addresses and other personal information like purchase history from the company’s clients. It is worth noting that according to Ledger and other analysts, apparently no financial information or any information directly related to the private keys or mnemonic words has been hacked or exposed.

However, since personal information has become publicly available, it is expected that numerous phishing, spear phishing or social engineering attacks targeting Ledger customers will follow. These attacks will try to deceive Ledger’s customers by maliciously impersonating the company and lead their unaware customers to provide the hackers critical information that could lead to the theft of their funds, information like mnemonic words or private keys.

The data was retrieved from the hardware wallet marketing and e-commerce database due to a vulnerability in the integration with a third party marketing tool. Over 1 million email addresses and a quarter of million physical addresses and phone numbers were reportedly stolen back in June, and now this information has been published in the hacking site Raidforums.

Ledger, which has been updating their customers regularly with the developments since the moment of the hack, has also enabled a webpage to educate their users on the anatomy of typical phishing attacks they have been detecting. The company also allows to report any suspicious activity or communication done on behalf of Ledger, in order to call out possible scammers.

The most important piece of advice for Ledger users is that you should never share your 24 words recovery phrase with anyone, as Ledger will never ask for this information by any channel, neither email, sms or phone call. 

These are some of Ledger’s recommendations to prevent becoming a victim from a phishing attack:

  • Never approve a transaction from your device if you are not the author of the transaction.
  • Ledger cannot deactivate your device by any reason, as they are not able to do so.
  • Confirm that you are only using the official communication channels and applications.
  • Avoid downloading any application from any unknown source.
  • Always double check the domains from the websites and email communications. Make sure that the domains are correct and have not subtle spelling changes (fake domain names like ledqer, legder, and other similarly spelling words are known to be used in scamming campaigns).
  • Ledger also states that they will not contact you via text message or phone call under any circumstance.

The cybersecurity site haveibeenpwned.com, provides a database of leaked accounts of known hacks. The site has already listed up to 70% of the email addresses dumped from the hack in June. If you are a Ledger user, you can check if your account information has been included in the information dump.

You can refer to Ledger’s Q&A website for more information. If you are a CYBAVO and Ledger user, feel free to contact us if you have any questions.