Ledger has officially confirmed that they suffered a data breach on June 25, 2020 due to a hacker attack.
The discovery was made only on July 14, thanks to a researcher who participated in the French company's rewards program.
As soon as the investigators' report of a possible data breach was received, an internal investigation was launched to correct the breach, and it was discovered that it had been exploited on June 25 by an unauthorized third party who managed to gain access to its e -commerce and marketing database.
The company uses this database to send order confirmations and promotional emails, and is primarily made up of email addresses.
In some cases, contact and order details, such as first and last name, postal address, and phone number, are also stored in it.
However, the company reports that the payment information and funds are secure.
Accounting data breach: what happened
This database was accessed by the hacker through an API key, which has now been disabled and can no longer be used.
In total, approximately 1 million email addresses were accessed, as well as additional data from 9,500 customers.
The hacker did not have access to any login credentials or passwords.
Furthermore, the data breach only refers to this specific database, and has nothing to do with the company's hardware wallets, or Ledger Live and cryptocurrency assets, to which the hacker never had access.
Finally, on July 17, the company notified the CNIL, the French data protection authority that oversees the application of the privacy law and the retention of personal data, and filed a formal complaint with the authorities to facilitate their investigation.
For the moment, there is no indication that the database has been put up for sale on the Internet.
The company also notes that possession of the wallet seed (the 24 words) is exclusive to users, and that Ledger will never ask anyone. In other words, whoever does it is likely to be a scammer, even if they don't appear to be from the same company.
Ledger CEO, Pascal Gauthier, also sent a communication to the users with which he confirmed the attack and added:
“We are very sorry for this incident. We take privacy very seriously and we sincerely apologize for any inconvenience this issue may cause you. ”