Ledger Hack - Letter from CEO

Dear Ledger clients,

As you know, Ledger was targeted by a cyberattack that led to a data breach in July 2020. Yesterday, we were informed about the dump of the content of a Ledger customer database on Raidforum. We believe this to be the contents of our e-commerce database from June 2020.

At the time of the incident, in July, we engaged an external security organisation to conduct a forensic review of the logs available. This review of the logs enabled us to confirm that approximately 1 million email addresses had been stolen as well as 9,532 more detailed personal information (postal addresses, name, surname and phone number) that we were able to specifically identify. 

The database publicly released yesterday shows that a larger subset of detailed information has been leaked, approximately 272,000 detailed information such as postal address, last name, first name and telephone number of our customers. These details are not available in the logs that we were able to analyse. Transparency in our operations and communications has always been a priority. This has not changed.

Beyond the rumors and diverse interpretations of this event that have been made in the past few hours, I want to state a few simple but fundamental things to put in perspective the reality of this situation.

In Ledger’s name, we very deeply regret this situation. We are aware that many of you have been targeted by e-mail and SMS phishing campaigns and that it’s clearly a nuisance. I know this breach is disappointing at best and infuriating at worst.

Our #1 goal remains to provide you with the best protection and security for your digital assets. To be very clear: this data breach has no link nor impact on our hardware wallets, the app or your funds. Your crypto assets are safe. While very truly and sincerely regrettable, this breach concerns only e-commerce related information. 

Ledger is doing everything in its power to reinforce our data security even more: for the past few months, we’ve been fighting the scammers with you in their attempt to steal your 24 words. This has been extensively documented on our website and blog. You can now follow the status on ongoing phishing campaigns on a single page: Ongoing phishing campaigns. We have also recruited world-class talent for our new CISO joining us in a few days. We are strengthening even further all our security resources and efforts – the Bounty Program, the Dungeon and all procedures that will allow 24/7 testing of our systems. All of these actions have been listed here:  The Battleground Against Phishing Attempts. 

Some of you have also expressed concerns about potential physical attacks as some of your shipping addresses were leaked. We understand the emotions created by this situation, yet important to acknowledge that there is no way to make any correlation between the data that has leaked and the funds on your wallet.

Regardless, Ledger has been designed with the threat of physical attack in mind, as it is always a potential threat. There are features and ways to protect yourself:

• If you enter an incorrect PIN code three times in a row, the device will reset after the third incorrect attempt as a security measure.  
  (See: Reset to factory settings)

• Plausible Deniability: instead of entering your passphrase each time you need it, you can attach it to a second PIN on your Ledger device. This results in having two valid PIN codes: one will unlock the normal set of accounts, the other the alternative set of accounts.
  (See: Ledger 101 — Part 4: Advanced Security Principles)

• Finally, do not keep your Recovery sheet in a safe at home. A bank vault is much more secure. Not having immediate access to your backup increases your resilience to physical threats. 
  (See: Ledger 101 — Part 3: Best Practices When Using a Hardware Wallet)

Regardless of recent events, if you keep a lot of value in your home, we invite you to regularly evaluate your own security scheme, and always apply the best market standards.You can find a lot of relevant information on https://www.ledger.com/academy  & https://www.ledger.com/.

That being said, most of the attacks you’ll be facing are online scams trying to steal your 24 words. We’ll never say it too often: the one important thing is to NEVER ever share your 24 words with ANYONE. Not even Ledger. We will never ask you for them. Also, Ledger will never contact you via text messages or phone call. Many have asked if your funds could be affected if you never shared your 24 words. I’ll be very clear: NO. Your funds are safe.

To put things in perspective and not to undermine our responsibility, it has become clear that we have entered an era in which cyberattacks will occur more and more; they have been at an all time high in 2020 (World’s Biggest Data Breaches & Hacks — Information is Beautiful). It is a growing global problem we are all facing with digital acceleration. Investing in the future of security has become more necessary and urgent than ever. That’s precisely Ledger’s mission: we continuously invest to improve security standards. That’s also why we won’t be refunding customers like some have suggested – instead, the best and most sincere thing we can offer is our dedication to being better and making these investments to continuously upgrade the security of the products we make available for you.

In this fight to #StopTheScammers, in the spirit that’s always been ours and the crypto communities, we need you by our side.

We will give the necessary updates as our analysis continues to give our community full transparency on the developments on this topic on https://www.ledger.com/phishing-campaigns-status.

If you have any further questions, please first check the FAQ and if your question is not answered there, reach out to us via customer support.

Sincerely,
Pascal Gauthier
CEO, Ledger