In a recent press release issued by Ledger, the company that makes the famous hardware wallet, we learned that criminals have taken advantage of another data breach, originating from Shopify, which involves another 20,000 users.
The information obtained by these agents is 93% similar to the previous data dump. However, 7% (around 20,000) of the customer records breached are new. We have directly contacted the concerned users to inform them about this.
– Ledger (@Ledger) January 13, 2021
The incident dates back to May last year, when criminals exploited a flaw in the Shopify portal, and on that occasion, they stole data more than 300,000 users from various portals such as Trezor, Augur and Ledger.
Unfortunately, the following month there was also another attack, this time directly against Ledger, in which they were robbed about 1 million email addresses and the complete data of more than 9500 users. A few months later, the criminals also attempted a third attack against users.
As if that were not enough, it was only last month that all the data from the stolen database was published, including the private information of users who had dealt with Ledger, that is, those who had bought a hardware wallet to protect their cryptocurrencies.
2020 was certainly not the best year for Ledger, but as the company itself points out, none of these episodes jeopardize safety of electronic devices held by users, although it is recommended not to introduce your seed on suspicious platforms and especially on Ledger Live, as it could be compromised.
Ledger's actions against data breaches
Meanwhile, Ledger has taken steps to warn new users affected by the recent discovery of the stolen data and to inform them that do not provide your seed to nobody and that they do not use it on any other platform other than the physical wallet.
In addition, Ledger is working to integrate a messaging model to access user funds and, therefore, we could see a type system 2FA to improve security, so even in the event of lost seeds, a second password will be required to access the funds.
As for what happened, Ledger has moved to track the data with the support of Chainalysis. In particular, they will try to trace the seeds used and the movements of the wallets, in order to identify how the criminals are using these funds.
In the case of Shopify, both the FBI and the RCMP are working with French authorities to locate the criminals who carried out the Shopify attack.
Other measures that the company will take will be those related to the management of the database, so the private names of the buyers will be deleted once the order is processed, to avoid similar problems in the future.
In fact, even if a database of this magnitude was accessed, if methods had been put in place to hide, protect and make the information it contains impossible to read, it certainly would not have been easy for criminals.
This shows the carelessness with which the company has treated this data, causing concern among many users, who in some cases have suggested create a lawsuit collective against Ledger.
Finally, Ledger has offered a reward to all those who provide useful information to catch criminals.
The reward is 10 BTC each, to encourage white hackers to support the case.