Can Ledger Nano S be hacked?

Ledger database hacked - users should pay attention to this

Anyone who invests in crypto currencies such as Bitcoin, Chainlink or Ethereum has to deal with suitable storage options for their coins from a certain point in time. In addition to the devices from the manufacturer Trezor, which are often used, there are also devices from Ledger, which have a large fan base. So far, these devices have been flawless and have received top marks. But as the French company has now announced, attackers used a security hole to steal millions of customer data. What does this mean for users?

What happened?

Companies normally invest large amounts in ethical hackers in order to identify potential security gaps in their own IT. Ledger has also announced a reward for hackers who identify such a loophole. As the company announced, such a vulnerability was identified by a user on July 14, 2020. The specific case concerned a possible data breach on the Ledger website.

As the company has now announced, this security vulnerability was fixed immediately after it was discovered and then carefully analyzed as part of an internal investigation. Nonetheless, Ledger discovered that this vulnerability had been exploited by an attacker prior to the patch on June 25, 2020. This should have gained access to the e-commerce and marketing database.

The attacker gained access to the marketing database, which is used in particular for sending order confirmations, advertising messages and storing contact and e-mail addresses. Accordingly, the attackers now have access to user data such as name, address, email address and telephone number. However, the payment information was not on the affected server, so all account information is considered secure.

For reasons of transparency, Ledger immediately decided to publish the attack. An important part of the public statement revolves around the question of why this attack could take place in the first place. Basically, an API key to the e-commerce and marketing database is a security hole that was exploited by the attackers. In the meantime, the operators have been able to close this gap and thus provide additional protection in the system.

What personal information did the attackers obtain from Ledger?

Basically, the attackers got order and contact data. The focus here is particularly on the customers' email addresses. According to official information from Ledger, around one million customer addresses could be affected.

Information such as postal address, telephone number and orders could also be obtained from around 9,500 customers. To be on the safe side, Ledger has decided to inform all customers about the vulnerability. The users who are particularly hard hit should also receive additional information including specific details. The attack only includes personal contact details. Sensitive payment data and passwords are not affected.

Furthermore, Ledger notes that the attack has no effect on the Ledger Nano wallets. Ledger Live and the investors' assets are also still safe and have never been in danger. Since the private key is never in the company's data, the user data is particularly secure and is the sole responsibility of the end user.

What action has Ledger taken?

After the vulnerability became known, Ledger closed it immediately. Since it is only a matter of user contact details, the company has also decided to conduct internal investigations. As part of the investigation, Ledger hired external third parties who carefully examined the attack. The information was only given to the users after the examinations were completed.

A researcher participating in our bounty program made us aware of a potential data breach in our marketing database.

We immediately investigated and fixed it.

Your payment information and crypto funds are safe.

More details:

- Ledger (@Ledger) July 29, 2020

In addition, Ledger has decided to involve the French data protection authority (CNIL). This is to ensure that the regulations of the EU GDPR apply to the storage and use of customer data. In addition, on July 21, the company entered into a partnership with Orange Cybersecurity to assess the damage caused by the data breach and to identify data breaches.

As part of the investigation, Orange Cyberdefense and the security team were able to determine that only the aforementioned areas are affected. The team is currently looking for information on marketing customer data on the Internet - so far there have been no official information.

In addition, Ledger decided to expand the security and organization program, which originally focused on the products, to include electronic commerce. There is also a formal complaint to the responsible authorities in order to clarify the matter as quickly as possible.

Ultimately, Ledger Live should help increase user privacy. This app, which acts as a companion app for the Nano, is intended to be the new main point of contact for information and product developments.

What can affected users do now?

In the first step, affected users should now, above all, act carefully. There is a good chance that attackers will start phishing attempts. Accordingly, all those affected should familiarize themselves a little more closely with the identification of face emails.

If users receive dubious queries with the request for the 24-word recovery commitment, no response should be given.

Ledger also advises that users visit the security section of the Ledger Academy to learn general security principles. In addition, Ledger officially apologizes to users and hopes that a bug bounty program will enable these risks to be better identified. Customer support is still available as a contact for questions.

Conclusion: the attack on ledgers is a debacle for the wallet manufacturer

The Ledger attack is a disaster for the company. In the long term, the attack could affect customer trust. But the current situation is not only a challenge from Ledger's point of view. Rather, investors now also have to expose themselves to increased risk. After all, attackers have access to the e-mail data and can thus start phishing attacks.

The official apology and the offensive investigation of the error are already sensible first steps to regain customer trust. The bounty programs are also useful to increase the general security of the platform.

From my point of view, the company's actions can be rated very well. Setting up a committee of inquiry is a good step in identifying vulnerabilities. In addition, other programs should help ensure that such errors simply no longer happen.