Hackers publish 1 million pieces of Ledger customer data

Getting your Trinity Audio player ready...

Over 1 million pieces of Ledger hardware wallet user’s personal identification information has been published on RaidForums, a marketplace for buying, selling, and sharing hacked information. To be more specific, 1 million email addresses and 272,000 customer’s first and last names, postal addresses, and phone numbers were published.

That being said, the damage from the June 25 Ledger security breach is much worse than the company originally believed it to be. When Ledger learned of the breach and made a public announcement, they said that only 9,500 customers’ names, addresses, and phone numbers had been compromised.

The blackmail has begun

A lot of Ledger user’s personal information is out in the wild right now, and most likely, in the hands of individuals looking to scam unsuspecting individuals out of their money. Unfortunately, attackers are already using the user information they got from RaidForums to scam, defraud, and blackmail Ledger users.

A Reddit user that goes by ‘relephants’ posted a message on r/ledgerwallet> warning others that he is being targeted by attackers that have his email address and phone number. The attacker requested that relephants pays them $500 to a wallet address, claimed to know where relephants lives (courtesy of Ledger), and said they are “not afraid to show up when you [relephants] least expect it and see how my wrench works against your face.”

What’s next?

At this point, the situation is out of Ledger’s hands, the damage has already been done, and it is irreversible. The best advice ledger can–and did–give, is to look out for more phishing attacks from attackers that have the customer data.

Ledger has set up a website that provides an overview of some of the phishing scams that have happened to date so that users can know not to fall for the same attacks if they are directed toward them. Since the date of the breach, Ledger says they have successfully shut down 171 phishing websites that capitalized on the stolen customer information.