France-based major hardware wallet provider Ledger has confessed that it was been hit with a data breach on June 17 that appears to have allowed a “third party” access to at least 1 million of its users’ contact details. (Updated at 10:13 UTC: updates in bold.)
The firm took to Twitter to state that its marketing and e-commerce database was compromised, exposing its customers’ contact details and order information, although Ledger claimed that there was no spill of crypto holdings or client transaction information.
Ledger notified their clients by email today. In a separate blog post, the firm added that it was made aware of the breach on July 14 by “a researcher participating in a bounty program.”
The company also wrote,
“We know that this database comprises approximately 1 million email addresses that could have been leaked and that 9,500 more detailed personal information leaked as well such as first name, last name, phone number and postal address and products purchased [sic]. More detailed personal information could have been exposed.”
“We are in the process of providing detailed information to that subset via email. These concerned clients will receive a dedicated email at 5PM CET [15:00 UTC],” the company told Our.
Ledger explained that an “unauthorized third party got access to a portion of our e-commerce and marketing database through a third party’s API key that was misconfigured on our website, which allowed unauthorized access to our customers’ contact details and orders data.”
The company appears to have gone into damage limitation mode, with a barrage of PR claiming that no client crypto has been lost and “mainly email addresses” were exposed in the breach.
Pascal Gauthier, Ledger’s CEO, penned a letter to clients, warning them to be on the lookout for phishing attacks in the wake of the breach.
“The most common attack a scammer can perform with access to email addresses are phishing attacks, so we urge our users to exercise caution, and to remember that Ledger will never ask for your 24-word recovery phrase. Treat anyone who asks for your financial information as a potential scammer,” the company told Our.
Also, Gauthier stated that Ledger has been in contact with the French data protection authority (the Commission nationale de l’informatique et des libertés or CNIL) and says Ledger is “continuing to work with authorities throughout the legal process.”
“We are extremely regretful for this incident. We take privacy very seriously, and we sincerely apologize for the inconvenience this matter may cause you.”
The company also added that it took the decision to delay the announcement as it “wanted to have all [the] data necessary and needed to perform legal compliance first.”
Learn more: What Can Crypto Crisis Managers Learn From BlockFi’s Silence & tBTC’s Openness?