Large-scale database hack discovered by eagle-eyed bug bounty hunter

Ledger data breach impacts one million users, hardware wallet funds are 'safe'

Ledger cryptocurrency wallet owners have been warned to watch out for phishing emails, after a data breach resulted in the contact details of approximately one million users being exposed.

In a security advisory issued earlier today (July 29), Ledger said a researcher participating in the company’s bug bounty program flagged a potential data breach on the Ledger website.

A subsequent investigation revealed that an unauthorized third party had access to “a portion” of the hardware wallet supplier’s e-commerce and marketing database through an exposed API key.

The data breach has resulted in the email addresses of approximately one million users being exposed. For a subset of 9,500 customers, these details also include first and last name, postal address, and phone number.

Fresh phish

According to Ledger, the compromised database was used to send order confirmations and promotional emails, and has no bearing on the security of users’ payment information or the cryptocurrency funds stores on their hardware wallets.

That said, users have been urged to exercise caution over a potential influx of phishing emails purporting to originate from Ledger and seeking to gain control of users’ accounts.

“To put it simply, Ledger will never ask you for the 24 words of your recovery phrase,” the company warned.

“If you receive an email that looks like it came from Ledger asking for your 24 words, you should definitely consider it a phishing attempt.”


Read more of the latest cryptocurrency security news


According to Ledger, the exposed API key was deactivated within 24 hours of discovery.

The hardware wallet supplier said it is was filing a formal complaint with authorities.

“We are actively monitoring for evidence of the database being sold on the internet, and have found none thus far,” Ledger said.

“We also performed an internal penetration [test] and we are pushing forward the external penetration testing that was originally planned for September.”

The Daily Swig has approached Ledger for additional comment.


RELATED BitMEX forces password reset following email exposure blunder