At the end of July, 2020 Ledger the French company behind some very popular crypto hardware wallets made a news post detailing a data breach they had suffered. In their update they admitted to losing customer data including the home addresses, emails, names, and phone numbers of 9,500 users.

On the surface it didn’t seem so bad but the crypto community went ape shit over this news as many of us suspected the breach was far worse than Ledger claimed. A growing number of users in the /r/ledger subreddit complained of phishing attacks and SMS based scams. A lot of people lost money to these scams and as time went on it became obvious there was more to this leak than met the eye.

I like to keep an eye on leaks like this so I had been waiting for a drop on the forums where this stuff usually happens. On Dec 20, 2020 Twitter user (@UndertheBreach) tweeted about a thread on Raid Forums (archive link)

Here we have a user by the handle Burgulema111 giving away Ledger customer data for free. This was a bit unusual as the data is quite valuable and they could have easily made some good money selling it. Most likely it was already for sale somewhere and this user was just passing along the goods for some clout. I’m not really sure yet.

ledger hack

But what was more surprising was how much data the download contained.

Inside Ledger.rar are 2 files:

  1. All Emails (Subscription).txt – 1,075,382 records
  2. Ledger Orders (Buyers) only.txt – 272,853 records

Here’s a breakdown:

[Ledger Orders (Buyers) only.txt] Email Provider Stats:

[gmail.com]              139,930      (51.3%)
[hotmail.com]            23,250      (8.5%)
[yahoo.com]              16,565      (6.1%)
[protonmail.com]        4,880        (1.8%)
[outlook.com]            4,259        (1.6%)
[gmx.de]                3,411        (1.2%)
[icloud.com]            3,390        (1.2%)
[web.de]                3,236        (1.2%)
[aol.com]                2,491        (0.9%)
[me.com]                2,311        (0.8%)
[Other]                  69,195      (25.4%)

TOTAL: 272,918

[All Emails (Subscription).txt] Email Provider Stats:

[gmail.com]              587,403      (54.6%)
[hotmail.com]            84,231      (7.8%)
[yahoo.com]              60,531      (5.6%)
[outlook.com]            14,615      (1.4%)
[protonmail.com]        13,117      (1.2%)
[icloud.com]            10,555      (1.0%)
[aol.com]                9,433        (0.9%)
[gmx.de]                9,123        (0.8%)
[web.de]                8,297        (0.8%)
[mail.ru]                8,134        (0.8%)
[Other]                  269,892      (25.1%)

TOTAL: 1,075,331

Wow that’s a lot more data than Ledger admitted to, just as we suspected. So Ledger either:

  • Knowingly downplayed the breach and underreported the data loss
  • Unknowingly misreported the breach because they didn’t understand its severity

Either possibility is obviously very troubling.

Don’t Trust Verify – Download the Data Yourself

I wanted to avoid writing this article but there has been some difficulty over people accessing the data, and some confusion over the two data sets. To make it worse tools like haveibeenpwned are reporting to ALL users that their names and physical addresses have been leaked even if their email only appears in the big email list.

They really should have released it as two data sets but I guess they have some obscure reasons as to why they didn’t bother.

In the end Troy mentions they released it as one breach because it was just easier that way ¯\_(ツ)_/¯

I’ll point out that the reason I’m making this available is because it is important Ledger users see it. Criminals already have it so there is no point staying quiet about it. I also really don’t like when people lord over this type of data and responsible disclosure is uber important these days, so here we are.

Horror! I’m in the breach what now?

Horror!

If you found yourself in this breach here is what I would do:

  • Use a different email address. Now. You can forward emails from old -> new but label them so you know their origin.
  • Get a new phone number and think hard about any services you gave this number to, especially those that still use SMS for 2FA, like Google. If you can afford it you can keep the old number for a few months and tell anyone who calls or TXTs your new number.
  • In future use a PO box for any sensitive shipments like this. A UPS store will do this for $5 per shipment here in Canada.
  • You should also use a throwaway email and fake name for sensitive shipments.
  • Your home may not be a safe place for your seed phrase if you are in the addresses list. You should consider a different place to keep this unless you move to a new address.

I hope this helps alert those who were affected by this and that is my only motivation for providing the files. At the end of the day everyone who was impacted by this has a right to know what was leaked.

In the future always remember that privacy and security are two sides of the same coin. Without one the other doesn’t exist.