On July 14, a researcher contacted us through our bounty program to inform us of a data breach on our e-commerce and marketing database. We immediately fixed the data breach and launched internal investigations. We found that the exposed data was subject to unauthorized access. Your funds are safe.
Please find answers to frequently asked questions below. Details about the data breach, refer to our blog post.
Are my personal details (name, address, phone number) compromised?
We’ve sent an email to all 9500 affected customers for whom our data showed personal details were leaked. If you did not receive this email, we have no evidence your personal data was leaked other than your email address.
What type of data was compromised from Ledger's customer database?
The e-commerce and marketing database has been breached. It contains emails, first and last names, phone numbers, and postal addresses, as well as the type of product purchased within certain orders.
We know that this database comprises approximately 1M email addresses that could have been leaked and that 9500 more detailed personal information leaked as well such as first name, last name, phone number, and postal address and products purchased. More detailed personal information could have been exposed.
Was the data breach fixed?
As soon as we discovered it, this data breach was fixed within the same day, the API key was deactivated.
Who is the third party solution? Why were they processing customers’ data?
Ledger e-commerce and marketing teams use a third-party solution (Iterable) to send and analyze transactional and marketing emails to customers who have bought products on ledger.com or have signed up to receive our newsletters.
Are customer funds impacted?
No. Payment information, credentials (passwords), or crypto funds were not impacted. This data breach has no link nor impact on our hardware wallets and the Ledger Live application. Your crypto assets are safe and are not in peril.
Our security model prevents attackers from accessing any sensitive information related to our hardware devices like recovery phrases and private keys. Users are in complete control and the only ones able to access this information.
What about “non-public identification info” like bank account numbers, social security details?
Is customer data handled in-house or by a third-party vendor?
Have there been any ransom demands?
We are not aware of any ransom demands.
What remedial measures is Ledger taking to resolve this?
- We have fixed the data breach immediately
- We have investigated the data breach immediately, both internally and with external forensic experts (Orange Cyber Defense) to discover any unauthorized access to our customer data from a third party
- We have informed the French Data Protection Authority of the data breach and updated them on the situation.
- We have informed our customers.
- We are finalizing the filing of a formal criminal complaint with the French Public Prosecutor.
- We performed penetration testing internally and we are pushing forward the external penetration testing that was originally planned for September 2020.
- We have periodic internal audits planned on our data retention policies to ensure continued compliance with Applicable Laws.
- We are extending to e-commerce the scope of our security and organizational program, originally focusing on our Products (HW & Vault). We are taking steps towards meeting the requirements listed in ISO 27001.
Can the info obtained by the hackers bypass Two-Factor Authentication (2FA) measures?
No. Our e-commerce website doesn’t retain any login/password information since 2FA is not relevant regarding our security scheme. Indeed our clients don’t have a Ledger account. This data breach is a marketing and e-commerce data breach concerning emails.
Any customers reporting physical extortion?
Not to our knowledge. Neither recently nor in the past.
Why did Ledger wait for more than a week to communicate publicly about this marketing and e-commerce data breach?
We wanted to have all data necessary and we needed to perform legal compliance first.
We immediately fixed the issue and launched an internal investigation to evaluate the scope of the violation. We also investigated with Orange Cyberdefense to assess the extent of the breach, we received the OCD initial report on the 24th of July.
We notified this data breach the French Data Protection Authority, the CNIL, in compliance with the applicable laws.
What can I do to protect my data moving forward?
Beware of phishing attempts that would impersonate Ledger to request your recovery phrase.
Since when does this issue exist?
The API key misconfiguration at issue has been running since August 9th, 2018. Based on the information we have, we believe it was discovered and exploited from April 2020 to June 28th, 2020.
What security measures were in place to protect our Personal Information?
In order to ensure the integrity and confidentiality of your personal data, we implement appropriate physical, electronic and organizational procedures to safeguard and secure personal data throughout our services.
We notably implement the following security measures, among others:
- Payment Data security: If you provide us with credit card information, such information is encrypted using a secure Internet Trade Protocol (TLS) and sent directly to our Payment Service Provider (PSP). This information is never stored on our server.
- Awareness program and employee trainings
- Data encryption in transit and at rest
- Data centers routinely audited
- Data redundancy for resilience in case of disasters
- Role-based authentication
- Two-factor authentication of our authorized employees
- Continuous system monitoring
- Industry-standard security evaluations
- Independent third-party security reviews and penetration tests
Are you sure there is no other similar issue on your e-commerce site? Do you use other APIs?
We performed an internal audit and didn’t find any similar breach. However, we can never be sure. We are therefore performing an external penetration test and encourage other IT security researchers to reach out to us via our bug bounty program.
How can you be sure the alleged Shopify data breach disclosed in May was a hoax?
We had access to a sample of the alleged leaked database and found that didn’t match with our database.
Are you aware of existing phishing attacks on your clients?
Phishing campaigns are very standard in the industry, which is why we created Ledger Academy to educate our users. We conduct regular campaigns to remind our users of the dangers of phishing attacks, and to always maintain caution. We have had a brand protection team in place for 2 years to monitor and enforce such abusive content.
Have you identified who compromised your database? Do you have any clue?
No. We are filing a criminal complaint with French Public Prosecutor based on preliminary evidence outlined thanks to Orange Cyberdéfense’s independent investigative forensic report.
Do you cross my Ledger Live data with other data? (e-com, HW)
No, we don’t.
Do you share data with governments?
Why don’t you purge your database?
For legal reasons, we are obliged to store some transactional information relating to our customers’ contact details and their orders data.
In accordance with the storage limitation principle set forth under applicable laws, we endeavor to retain data for no longer than the time required to comply with such legitimate and legal purposes, including satisfying any legal, accounting, tax, or other compliance reporting requirements.
We may archive some of your personal data, with restricted access, for an additional period of time when it is strictly necessary for us to comply with our legal and/or regulatory archiving obligations and for the applicable statute of limitation periods. At the end of this additional period, your remaining personal data will be permanently erased or anonymized from our systems.
If you purchased a product or a service from us, we may retain some transactional data attached to your Contact Details to comply with our legal, tax or accounting obligations for a maximum 10 years period set forth by French applicable laws, as well as to allow us to manage our rights (for example to assert our claims in Courts) during applicable French statutes of limitations.
We also need to retain some of your personal data contained in this database, in order for us to answer your questions, to process potential claims, and to retain evidence for the criminal investigation.
Are the 24 words stored in the database?
No, our clients are completely and solely in control of their recovery phrase. Ledger will never request your recovery phrase.
If you are not able to protect our e-commerce data, how could you protect and secure our funds?
This is the most accurate and legitimate question we can handle from our customers. Indeed, since the inception of Ledger, we focused on the security of our products because we knew this industry needed strong, fully monitored, and auditable security solutions to take off and we are committed to offering our customers security products that we monitor with best-in-class knowledge.
This data breach comes from a misconfigured third party API key hosted on our e-commerce webpage. It has nothing to do with our security products and their own infrastructures. This does not mean this situation is not serious. This means it does not relate to the level of security of our products.
We are extremely regretful for this incident. We take privacy very seriously, we discovered this issue thanks to our own “bug bounty” program, we fixed it immediately. But regardless of all that we did to avoid and fix this situation, we sincerely apologize for the inconvenience that this matter may cause our customers.
This situation is very stressful, what is supposed to reassure me?
We understand your concerns and we are extremely regretful for this incident. We take privacy and data security very seriously. As soon as we discovered this issue thanks to our own bug bounty program, we fixed it immediately and worked to inform you. But regardless of all, we did to avoid and fix this situation, we sincerely apologize for any inconvenience that this matter may cause you. However, this data breach has no link with and no impact on our hardware wallets nor Ledger Live security. Your crypto assets are safe and have never been in peril. We are grateful for the trust you have put in our products. Moving forward, you can expect the highest standard of professionalism, transparency, and responsiveness from our services.
How did the data breach impact Amazon orders, more specifically, billing/shipping addresses?
No information from Amazon orders (including email, billing, and shipping addresses from orders) was affected by the data breach.