According to a tweet from network security firm Hudson Rock’s Alon Gal, a hacker allegedly behind the breach of personal data from hardware wallet Ledger in June has made all the information they obtained available online. This reportedly includes 1,075,382 email addresses from users subscribed to the Ledger newsletter, and 272,853 hardware wallet orders with information including email addresses, physical addresses, and phone numbers.
“This leak holds major risk to the people affected by it,” said Gal. “Individuals who purchased a Ledger tend to have high net worth in cryptocurrencies and will now be subject to both cyber harassments as well as physical harassments in a larger scale than experienced before.”
In a response on Twitter, Ledger said “early signs” seemed to confirm that the released information was from the June data breach that compromised the personal data of many of its users. Following news of the hack, many Ledger users reported being targeted through phishing attempts. Some said they received convincing-looking emails asking them to download a new version of the Ledger software.
“We are continuously working with law enforcement to prosecute hackers and stop these scammers,” said Ledger. “We have taken down more than 170 phishing websites since the original breach.”
After experiencing months of reports on phishing attacks, many users were seemingly unsatisfied with Ledger’s response.
“If any lawyers want to start a class action suit, I’m sure many of us will jump on board,” said Twitter user Ryan Olah. “This has just gotten 10,000x worse now.”
I’m going to take legal action against you very soon.
— a Friendly Duck. HODL (@DuckHodl) December 20, 2020
Though someone’s tokens are most likely not in danger of being siphoned out of Ledger wallets, users could potentially compromise their own funds by falling for such phishing attempts sent to the affected emails or phone numbers. Many have reported that such attacks have been trying to trick them into giving up their seed phrases, prompting Ledger to reiterate:
“Never share the 24 words of your recovery phrase with anyone, even if they are pretending to be a representative of Ledger. Ledger will never ask you for them. Ledger will never contact you via text messages or phone call.”
However, some Ledger users pointed out that phishing attacks are just one possible threat they may face now that their physical addresses are public. People with a large amount of crypto holdings run the risk of being kidnapped and held until they give up their tokens, as was the case with Singaporean entrepreneur Mark Cheng in January.
“This is a serious breach and I am concerned that people now have our addresses,” said Twitter user Paul Smith. “What’s stopping them from knocking on our doors? Saying sorry, frankly, isn’t enough.”