Ledger, a cryptocurrency provider specializing in hardware wallets, has been hacked. The company reports a data breach occurring between June and July 2020 after being altered to a vulnerability. The company was apparently hacked using an API key and the breach included marketing databases containing the email addresses of those targeted for promotional emails.
How many email addresses? Sources report approximately one million. To add insult to injury, a small group of that number also had full names, postal addresses, and phone numbers leaked to hackers.
What often happens to this data is that it is sold, the contact information is often used by hackers to initiate scams or identity theft schemes, and it’s also used to harvest passwords and passphrases from unsuspecting victims.
What Ledger Claims About The Cryptocurrency Hack
The company claims that no payment data, passwords, or other sensitive material got leaked, but how would the average consumer ever know? The company also claims that none of the stolen data was being sold to date, but again--how does the average user know?
In my experience, the Ledger issue reveals three important things. The first is that when dealing with cryptocurrency, your risks of encountering hacks or becoming a victim of hackers is elevated. There is a high degree of attention on crypto including from black hat hackers and those looking to run email scams, cell phone scams, etc. The police and news media also pay more attention these days to cryptocurrency hack issues, too.
Be An Informed User
There is nothing wrong with crypto, investing in it, or being part of the cryptocurrency community–as long as you understand the elevated risks and make informed choices with that in mind.
The second thing to remember? The garden variety standard personal security measures generally apply for crypto-related hacks and scams, too. Don’t directly reply to unsolicited emails, don’t click on links in those unsolicited emails.
And when it comes to cell phone calls from people you don’t know for services you didn’t inquire about? Just hang up. Every single time.
Be Paranoid About Your Data
And that means knowing the official company policy about how and when you are contacted. Legitimate companies avoid practices that can be used by scammers–for example, many legitimate company emails make a point to mention (usually in the fine print) that you will never be asked by that company for certain information by email such as a recovery phrase or password.
Don’t hand out your passwords, passphrases, or PIN codes. If you need to reset them, contact the company directly at its main customer service number and don’t use phone numbers or email addresses supplied to you by an unsolicited email even if you think it might be legit. In the case of the data breach we’re reporting on here, the company Ledger reminds its users that it will never ask for recovery phrases and any email sent to a Ledger customer asking for these recovery phrases should be ignored.