SALES, RENTALS & LAYAWAYS

PROTECTING EVERYTHING THAT HAS EVER BEEN OF VALUE TO YOU

Open 24/7/365

We Have A Life-Time Warranty /
Guarantee On All Products. (Includes Parts And Labor)

Ultimate Resource On Ledger Hardware Wallet (#GotBitcoin?)

French hardware wallets manufacturer Ledger announced that its cryptocurrency management software Ledger Live now supports Ethereum (ETH) ERC-20 tokens. Ultimate Resource On Ledger Hardware Wallet (#GotBitcoin?)

In a blog post published on Sept. 5, Ledger announced the version 1.14.0 of its Ledger Live software that now supports over 1,250 Ethereum-based ERC-20 tokens. The update has already been released for both mobile and desktop versions of the software.

More Assets To Be Supported In The Future

The Ledger Live application allows users of the company’s hardware wallets such as Ledger Nano S or Ledger X to manage their devices and cryptocurrencies. The firm also promises to add support for more assets in the future:

“While the ERC-20 token integration has brought a plethora of new cryptocurrencies to Ledger Live, we still aim to add even more crypto assets to the platform.”

As Cointelegraph reported, in March Ledger has unveiled vulnerabilities in its direct competitor Trezor’s devices. Prague-based crypto wallet manufacturer Trezor, on the other hand, has responded to Ledger’s report by claiming that none of these weaknesses are critical.

Updated: 12-10-2019

Ledger Live Adds Support For Tezos And Staking, Adds Features To Hardware Wallets

Hardware wallet manufacturer Ledger has announced the latest version of its Ledger Live application, adding support for Tezos (XTZ) and Tezos staking.

Unveiled last year, Ledger Live is a software solution that allows Ledger hardware wallet users the ability to manage their digital assets via a smartphone or computer. Ledger Live lets users check their cryptocurrency balance and send or receive tokens, while maintaining control of their private keys. Ledger CEO Pascal Gauthier told Cointelegraph:

“Ledger aims to combine security with a seamless user experience. The announcement with Tezos is exactly part of this mission. Ledger Live makes it easy to use crypto, while Ledger hardware wallets provide a high level of security. Ledger Live users can now create or import Tezos accounts, stake XTZ and passively earn rewards.”

From Hardware to Software

While adding support for XTZ creates an additional layer of security for token holders, it is noteworthy that Ledger Live lets users grow their digital assets through staking, which is a way for crypto holders to earn passive income.

XTZ operates on a proof-of-stake blockchain protocol. While Bitcoin and other cryptocurrencies operate using proof-of-work systems — in which miners compete against each other to complete transactions on the network to get rewarded — the Tezos blockchain requires all token holders to participate in securing and maintaining the network.

The aim of Tezos is to help token holders work together to make decisions that will improve the protocol over time. In turn, Tezos rewards users for contributing to the network’s security, a process known as staking (or “baking” in Tezos terminology).

Although staking Tezos is important for maintaining the network, this feature is typically available to users through major cryptocurrency exchanges, like Binance and Coinbase. Yet, according to Gauthier, this has been problematic due to the questionable level of security on these exchanges.

Gauthier pointed out that storing XTZ on a Ledger hardware wallet and then providing users with a platform to stake Tezos creates a much more secure solution. Moreover, he noted that the cryptocurrency industry is heading in a direction where hardware capabilities are being combined with software features:

“Hardware will always be important. Our customers like being able to store their crypto on a Nano, which remains the most secure hardware wallet on the market. But we have to think about where the industry is growing and going – and offering Tezos staking on Ledger Live is a signal that we are moving in a direction where strong UX coupled with less friction, allows customers to interact and transact with their crypto easily, quickly and still securely.”

Staking Tezos is an example of how Ledger Live aims to integrate new services seamlessly within a single application on a smartphone or computer.

“We expect to bring more prominent features via software to our users in the future,” noted Gauthier.

Giving Users More Control

Additionally, since Tezos operates on a proof-of-stake consensus model, users can either participate by staking or by delegating their tokens to those who can stake for them. In order to stake Tezos, users must have at least 8,000 XTZ tokens. However, users can delegate their tokens to a delegation service — known as “bakers” in the Tezos community — without transferring their ownership. This allows all participants the ability to earn the rewards generated, minus the validator’s commission.

Major exchanges that provide Tezos staking also offer a delegation service and typically charge commission fees on all rewards received. Unlike those exchanges, Ledger Live lets users choose who to delegate their tokens to without applying additional fees.

“We’ve been working closely with the Tezos community to make staking more convenient. On major exchanges, users have to do everything themselves, meaning they have to find someone to delegate their coins to or go through a custodian. Ledger Live empowers users to make their own choices by allowing them to choose who to delegate their tokens to. This is part of the nature of our open platform. We want to make sure users can access their entire crypto journey through Ledger Live,” said Gauthier.

How Will The Community React?

While the integration of Tezos is important for Ledger Live to widen the array of services offered on its platform, which currently supports 1,250 ERC-20 tokens, the impact of the development will be measured by its resonance with the Tezos community.

“It will be interesting to see how the Tezos community receives the Ledger partnership,”

President and Founder of TQ Tezos, Alison Mangiero, told Cointelegraph. “Right now we have external development teams working on applications that have been integrated into Ledger, but this makes for a much more seamless user experience. It will also be interesting to see new features incorporated into Ledger Live when upgrades are made to the Tezos protocol.”

Updated: 3-6-2020

Ledger Wallet Warns of Fake Google Chrome Extension Stealing Crypto

Major cryptocurrency hardware wallet supplier Ledger has warned its users about another phishing attack trying to steal their crypto — this one using a Google Chrome extension.

In a March 5 tweet, the French crypto company specified that there is a fake extension on Google Chrome browser that attempts to steal users’ crypto by asking them to enter their 24-word recovery phrase to access their wallet.

Ledger Live Gets Removed From The Chrome Web Store

The phishing attack was reported by Catalin Cimpanu, a cybersecurity reporter at business technology news website ZDNet on March 4. According to Cimpanu, the malicious Chrome extension was first discovered by Harry Denley, director of security at blockchain interface platform MyCrypto.

According to the report, the fake Chrome extension is called Ledger Live. It tries to mimic the real mobile and desktop application Ledger Live that allows Ledger wallet users to approve transactions by syncing their hardware wallet with a trusted device.

As of press time, the fake Ledger Live extension had apparently been removed from the Chrome Web Store. According to the report, the phishing extension was downloaded at least 120 times before it was taken down.

Fake Extension Was Advertised By Google Ads

As reported by ZDNet, the malicious extension was trying to mislead users into thinking that it represented the Chrome version of the original Ledger Live app, which would allow them to check balances and approve transactions via Chrome. Users were apparently offered to install the extension and connect their Ledger wallet to it by entering the wallet’s seed phrase — a backup phrase or word seed used to get access to their wallets.

MyCrypto exec Denley, who first uncovered the phishing attack, reportedly ridiculed the malicious extension by claiming that it makes no sense to install and use such an extension with a hardware wallet that is meant to protect funds by storing cryptocurrency offline.

However, Denley still admitted that he would not be surprised if the fake extension has tricked people, adding that it’s a “big problem in the cryptocurrency area, to teach people their private keys/mnemonics should stay offline.” The malicious extension could apparently have misled some users, taking into account the fact that it was advertised by Google’s online advertising platform Google Ads, as reported by Denley.

In the warning announcement, Ledger emphasized that the platform would never ask its users for their recovery phrase, urging that to never share the 24-word seed phrase or enter it into any device connected to the Internet. This is, however, not the first time that Ledger users encountered a fake Chrome extension. As reported by Cointelegraph in early January, another malicious Chrome extension stole about $16,000 in privacy-focused cryptocurrency Zcash (ZEC).

Updated; 7-6-2020

Ledger Crypto Wallet Claims Purported Vulnerability Is User Experience Flaw

Ledger’s chief technology officer Charles Guillemet said that the recently revealed vulnerability is nothing more than a user experience flaw.

Leading crypto hardware wallet producer Ledger has denied that its product’s transaction management software featured a double-spend vulnerability.

According to Ledger’s CTO Charles Guillemet, the vulnerability recently revealed by software wallet ZenGo is — in fact — nothing more than a user experience flaw. He illustrated the nature of its hardware wallet companion software Ledger Live to Cointelegraph:

“It’s important to understand that rather than an attack, the actual flaw may be seen more as a clever piece of trickery. Trickery is not a vulnerability. However, we do want to prevent anyone from falling victim to these kinds of clever schemes. […] It’s just a UX issue that could be used by a dishonest product buyer. ”

The Claims Are Not New

ZenGo’s claims are closely related to those released by Bitcoin Cash (BCH)-focused firm BitcoinBCH at the end of 2019. At the time, the firm’s CEO Hayden Otto explained in a video how a Bitcoin (BTC) point-of-sale solution misled merchants into believing non-confirmed transactions were final and accepting them.

Like BitcoinBCH, ZenGo noted that Bitcoin’s replace-by-fee (RBF) feature can easily allow users to replace an unconfirmed transaction with a new one with a different target address that has a higher fee. It is worth noting that this feature only makes it easier to leverage the non-finality of unconfirmed transactions, a thing that is harder, but still possible without RBF.

Furthermore, ZenGo’s report also points out that RBF “does not introduce any new vulnerabilities in itself” and instead “it explicitly puts the responsibility on wallet applications and users’ to identify unconfirmed transactions as unsafe.” This is confirmed by Guillemet:

“We want to thank ZenGo for having responsibly disclosed this issue to us. […] We do want to prevent anyone from falling victim to these kinds of clever schemes. A way to prevent this is of course to make sure that any transaction is first confirmed. Ledger Live is releasing an update on July 2nd. A warning is now displayed on pending transactions.”

ZenGo said that it was awarded a bug bounty for bringing attention to the issue.

Updated: 7-29-2020

Data Breach At Crypto Wallet Firm Ledger Exposes User’s Personal Info

Hardware wallet provider Ledger said its marketing database was breached between June and July.

Major cryptocurrency hardware wallet provider Ledger has alerted customers to a data breach it faced in June and July.

In an email on July 29, the company said it was made aware of the breach on July 14 when a researcher participating in its bounty program reached out with details of a potential vulnerability on their website.

While they were able to fix the breach immediately, a further investigation by the team found that an authorized third party carried out a similar action on June 25.

The individual used an API key to access the marketing and e-commerce database the company used to send promotional emails.

According to Ledger, this compromised the email addresses of almost one million people. The firm added that, for a subset of 9,500 customers, details such as first and last name, postal address and phone number were also exposed.

The company claimed the API key used to access the database has since been deactivated.

After investigating the matter in tandem with third parties and confirming the breach, Ledger said it notified the French Data Protection Authority, CNIL. Reassuring their users of their funds’ security, Ledger wrote in a blog post:

“Your payment information and crypto funds are safe […] Regarding your e-commerce data, no payment information, no credentials (passwords), were concerned by this data breach. It solely affected our customers’ contact details.”

The company also said that it is monitoring online marketplaces to find evidence of the stolen data being sold, but has found none so far.

Ledger advised users to be vigilant regarding phishing attempts by malicious scammers and said it would never ask them for their recovery phrases.

Updated: 8-5-2020

A Newly Discovered Vulnerability In Ledger Wallet Could Be Disastrous If Not Properly Fixed

Ledger has failed to fully fix a major vulnerability that allows for a “Bitcoin Fork” attack.

A recent report contends that the Ledger app has failed to fix a major vulnerability that allows for a “Bitcoin Fork” attack.

Mo Nokhbeh has claimed that Ledger’s wallet fails to properly isolate the apps responsible for authorizing the transactions of different assets. This creates a vulnerability where a user’s wallet can be fooled into authorizing a transaction for a less valuable asset — such as Litecoin (LTC), Bitcoin Cash (BCH) or any other Bitcoin fork coin — when in reality, a Bitcoin (BTC) transaction is being released. Nokhbeh told Cointelegraph:

“This app should be isolated such that it only signs for testnet derivation paths. However, sending it a regular mainnet bitcoin transaction will pass. In addition, it will present the TX as if it’s testnet bitcoin, to a testnet bitcoin address.”

According to Nokhbeh, he made Ledger fully aware of this vulnerability, and despite acknowledging it, the company has failed to fix it. Instead, they have chosen to release an update to their existing app that will provide users with a warning prompt if such an exploit is detected.

Updated: 8-30-2020

Ledger CTO Discusses Wallet’s Safety After Multiple Security Setbacks

What’s behind Ledger’s tough stint recently? Charles Guillemet, the company’s CTO, responds to all the questions and criticism.

Ledger, one of the crypto industry’s most popular hardware wallet providers, has faced multiple difficulties in recent weeks, including a breach in the company’s customer contact database and a wallet vulnerability putting users’ Bitcoin (BTC) at risk.

Are the recent events simply a summation of a few difficult weeks, or is a larger unraveling at play?

Charles Guillemet, the chief technology officer of Ledger, told Cointelegraph: “As far as the database breach, an attacker got access to a portion of our e-commerce and marketing database through a third party’s API key that was misconfigured on our website, which allowed unauthorized access to our customers’ contact details and order data.”

Ledger’s Data Breached

The breach dates back to June and July 2020. Ledger received a tip on July 14 mentioning the firm’s website and a possible associated weakness, as the report by Cointelegraph detailed.

Although Ledger repaired the issue following the tip, the company discovered that someone had already exploited the weakness on June 25, leading to nearly 1 million leaked email addresses — with 9,500 affected customers seeing other private data leaked, such as their phone numbers and names.

Guillemet said Ledger repaired the issue and disabled the troublesome API key that same day. “In addition, no payment information, credentials (passwords) or crypto funds were impacted,” he added. “This data breach has no link nor impact on our hardware wallets and the Ledger Live application,” he explained.

“Customer crypto assets have always been safe and are not in peril,” he said, crediting Ledger’s device makeup for its security, as it gives authority over funds back to the users.

Jake Yocom-Piatt, the project lead at cryptocurrency Decred, said he was not surprised by the incident, noting companies usually give less attention to their e-commerce database defenses.

“When your core product is secure hardware, it is easy to forget that the security of your e-commerce software system is also important,” he told Cointelegraph, adding: “Many larger organizations view software security as a sunk cost because it falls outside their core product offering, so they cannot market it and extract profit.”

Wallets Had A Software Vulnerability

Shortly following the data breach, Ledger device holders read about another difficulty surrounding their wallet of choice on Aug. 5, as a software vulnerability surfaced. The hole essentially provided a bridge between Bitcoin and its various forks, such as Litecoin (LTC).

Harnessing the flaw, attackers could make a transaction seem associated with one asset, while confirming the transaction on the device would approve a separate transaction for a different asset — unbeknownst to the wallet owner.

Ledger issued a software update the same day, correcting the issue. On Aug. 26, when asked for additional comments, a Ledger public relations representative pointed toward an explanation of the situation on the company’s blog posted on Aug. 5, which explained that a bounty hunter found the vulnerability, leading to Ledger’s mentioned update in response.

“We’d like to assure you that this vulnerability cannot be used to obtain sensitive data like your private keys or recovery phrase,” Ledger clarified in the write-up.

Ledger Wallets Still Effective

Despite the recent difficulties, Ledger wallets remain a popular option for crypto storage. “Ledger and other hardware wallets are a major security upgrade for the average cryptocurrency user because it prevents remote access attacks — e.g., keylogging — from succeeding,” Yocom-Piatt said, adding:

“However, the protection against remote theft that comes with a hardware wallet is typically paired with a distinct decrease in privacy since the hardware wallet supplier can see exactly which coins a wallet controls.”

Twitter user CryptoGainz tweeted out difficulties he faced when working with his Ledger wallets on Aug. 13, citing unreliable software. Although the comment came shortly after the Aug. 5 vulnerability issue, the situation proved unrelated, with CryptoGainz still expressing faith in the wallet company as a crypto storage option.

“They’re a safe way to store crypto, they just suck for trading via metamask on Uniswap,” CryptoGainz told Cointelegraph in a Twitter DM chat, citing an online wallet provider/decentralized application avenue and the latest decentralized exchange trading craze, Uniswap.

Ledger Customer Protection

Although Ledger’s wallets provide parameters for enhanced security, users still must know best practices and tactics for the protection of their assets. “We’re most worried about phishing attempts — emails from scammers pretending to be us,” Guillemet explained.

A phishing scam occurs when a malicious party sends an email, or another form of communication, disguising itself as a different person or company in an attempt to gain private information from the target.

“We’ll never ask our clients for the 24 words of their recovery phrase,” Guillemet said, urging customers to harness two-factor authentication, while also pointing toward educational information on security found on Ledger’s website.

Aside from phishing attacks, Ledger holds safeguards against malware. “Ledger devices are designed to protect users’ funds against malware on users’ computers, including fake Ledger Live applications,” Guillemet explained, referencing Ledger’s desktop application for interacting with wallet devices.

He specified that users should make sure to get the app from Ledger’s official online site or app store.

Yocom-Piatt also spoke on protection against company data breaches, such as the one Ledger suffered. “Since e-commerce systems typically have weak security, I recommend that users ordering these devices have them sent to an address that is not their primary residence,” he said.

Using a different physical address shields customers from exposure of their residence, should such a breach occur, helping guard against potential in-person Ledger wallet device theft. “Also, when possible, you should avoid using the wallet software supplied by the hardware wallet vendor to maximize your privacy,” he added.

Self-custody over assets is a major selling point in the crypto industry, although it requires knowledge and technical prowess. The complexity involved might explain the push for mainstream crypto trading products, such as exchange-traded funds in which companies custody assets for investors.

Updated: 9-18-2020

Ledger Wallet Upgrade Can Prevent ‘Dusting Attacks’

Cold wallet maker Ledger adds more privacy protection to its software suite.

Hardware wallet maker Ledger has recently upgraded its software suite to include more privacy and control over crypto transfers to help prevent ‘dusting attacks’.

A dusting attack is where a malicious actor sends small amounts of Bitcoin to a wallet to break the privacy of users for further attacks.

Ledger Live version 2.11.1 introduces a new feature called Coin Control which gives users the ability to adjust transaction settings to include more privacy or optimal fee usage.

The announcement added that the feature works through its ability to manage Hierarchical Deterministic (HD) wallets, or multiple different Bitcoin addresses. Now, users can select the addresses they want to use for transactions using Coin Control instead of the previous default First-in, First-out (FIFO) method of automatically using the oldest address.

This matters because it prevents third parties tracking those transactions through tiny amounts of BTC, called dust, which are worth less than the transaction fees. This dust can be used to trace the identity of the owner through analysis since these tiny unspent transaction outputs (UTXOs) can accumulate. A large scale dusting attack was carried out on Litecoin users in August 2019.

Ledger Stated That With Coin Control, Users Can Simply Choose To Not Use This Tiny UTXO, Adding;

“As such, they cannot track any movements. In short: it can be a game changer when it comes to your privacy.”

Other features on the software upgrade include an optimization of the network fee structure by allowing users to choose UTXOs with higher value, thus reducing the byte size of the transaction. It also has the ability to select specific addresses for transfers should there be a need to keep payments separated.

Reddit Users Applauded The Upgrade With One Adding;

“This will make dust attacks useless. Also having the ability not to include small inputs when fees are high is great. I’ve been waiting for this feature. Thumbs up!”

Others asked for more functionality such as the addition of TOR, which is open-source software that facilitates anonymous communications. The addition of personal nodes was also requested as some users have trust issues when using a centralized company like Ledger.

Updated: 10-10-2020

Ledger Wallet Company Passes Official Security Audit

The process was meant to ensure that customer information is handled properly by the company.

Ledger, a crypto company providing a number of hardware wallet solutions, has obtained a successful System and Organization Controls, or SOC, Type 1 test.

Friedman LLP, a New York-based accounting firm, ran the SOC 2 Type 1 test on Ledger, according to a statement provided to Cointelegraph:

“By obtaining the SOC 2 Type 1 report, we are now able to provide an additional layer of verified security to our clients, assuring that the Vault solution is secured at all times and that we have the processes in place to ensure availability.”

A crypto storage solution for larger players and companies, Ledger Vault operates as a custody wing under the broader Ledger company.

The SOC 2 exam analyzes a company’s security by way of an audit, verifying the proper handling of customer information by service-based entities. “As a proof of compliance to the AICPA auditing procedure, SOC 2 Type 1 report shows that a SaaS [software-as-a-service] firm has best practices in place,” a blog post from RSI security explained.

“It gives potential customers the assurance that a service organization has passed the said auditing procedure, and that their data is safe if they work with the SOC 2-compliant company,” the post added.

In contrast, a SOC 2 Type 2 exam raises the bar, testing against more in-depth standards while requiring a longer time horizon for a green light.

During the SOC 2 Type 1 analysis, Friedman investigated Ledger on a number of levels, including its disaster recovery strategy and its security, as well as a host of other technical specifics.

“Receiving this attestation is an achievement as it shows our processes and systems are streamlined, documented and overall secure,” Ledger’s chief technology officer, Charles Guillemet, said in the statement. Next year, the company aims toward securing a SOC 2 Type 2 approval, according to comments in the statement from Ledger CEO Pascal Gauthier.

The exam green light comes after Ledger suffered a database leak several months ago, which exposed customers’ information. The popular hardware wallet company fixed the root of the problem following the incident.

Crypto exchange Gemini announced that it had similarly passed its SOC 2 Type 2 test in January 2020.

Updated: 10-12-2020

Ledger Wants To Help MicroStrategy Secure Its $400M Bitcoin Treasury

Square’s SubZero cold wallet is great, but Ledger Vault is better says the company’s VP of Product.

Ledger is mostly known for its consumer-facing hardware wallets, but since last year, a number of enterprises have also begun to use Ledger Vault, according to the company’s vice president of product, Jean-Michel Pailhon.

This product is focused on providing custody solutions to enterprise clients. In fact, the Ledger team is currently trying to sell MicroStrategy on the advantages of its product.

MicroStrategy is a business intelligence company that made a splash in August 2020 by converting a large portion of its treasury into Bitcoin (BTC). More recently Square, who just acquired $50 million worth of Bitcoin, developed an in-house open-source SubZero framework to secure its assets.

Pailhon said that both employ HSMs, or Hardware Security Modules, for the management of digital assets. HSMs have been used for decades for securing critical data and are generally considered invulnerable.

Though SubZero may be a great framework, Pailhon opined that its best suited for tech companies like Square that know how to deploy and manage HSMs. He said that Ledger will set these up for its clients, and that “they don’t necessarily need to know how it works. They just need to use the solution.”

We asked Paihon to walk us through onboarding a company like MicroStrategy. He said that one of the first steps would be to decide how many people will be involved in authorizing transactions, a typical setup would require 2-of-3 signatures; where perhaps, the CEO, chief financial officer, and general counsel hold one signature each.

All the private keys would be stored on an HSM. At the same time, parts of the private keys may be stored in several physical vaults.

When a company officer wants to initiate a transaction, he would log into Ledger Vault and input the desired transaction. Then, a notification would be sent to all three signatories. To approve it, they would have to log in and connect their Ledger Blue hard wallet to their computer.

Finally, they would enter their unique Ledger Blue pin to sign the transaction. There is also an additional layer of protection, which involves one of the signatories choosing to abort the transaction altogether, provided that the minimum number of signatures had not yet been authorized.

Pailhon elaborated that though Ledger provides the backend and takes care of the HSM infrastructure, the client acts as its own custodian. This may present a problem as some companies may be required by law to use a regulated custodian. He explained that this does not present a real challenge though:

“If you need a regulated custodian, you can ask a regulated entity to become one of the signees in the transaction process.”

Meanwhile, MicroStrategy has not named its Bitcoin custodians, though it publicly acknowledged the associated risks:

“While we hold the bulk of our BTC assets with established cryptocurrency custodians, a successful security breach or cyberattack could result in a partial or total loss of our BTC assets in a manner that may not be covered by insurance or indemnity provisions of our custody agreements with those custodians.”

Updated: 10-16-2020

Ledger’s Recent Security Audit Was Unconnected To Their Data Breach In June

It seems the review was already in process before the attack ever occurred.

Popular hardware wallet company Ledger recently announced that they had passed a notable security evaluation, known as SOC 2 Type 1. This certification came following a significant data breach the company suffered in June. Ledger did not, however, decide to conduct its security audit because of the breach, according to comments from a Ledger representative.

“Ledger is always seeking to raise the security standards and has been working on getting the attestation prior to the data breach,” the representative told Cointelegraph.

News of Ledger’s completed SOC 2 Type 1 audit came in October, essentially giving the market a level of confidence based on a trusted mainstream security benchmark.

“The SOC II attestation refers both to the System, in this case, Ledger Vault only, and the Organization: Ledger as a whole,” the representative explained. “Hence, if the SOC 2 Type 1 only applies to Ledger Vault, the Ledger organization as a whole has been audited (onboarding of collaborators, third party interactions, etc.).”

Ledger was made aware of a database weakness in July, which they quickly patched. The company, however, also uncovered a previous large data breach that occurred in June, which leaked thousands customers’ names, addresses, and other potentially sensitive information.

Kristy-Leigh Minehan, Former CTO of Core Scientific, told Cointelegraph “SOC2 Type 1 is about assessing the design of a security process (or processes) at a specific point in time (or, as of a specified date).” She clarified:

“They would only be evaluated up until the point when they executed it, not necessarily when they were awarded it.”

Updated: 11-6-2020

Ledger Owners Lose 1.1 Million XRP To Scam Site

After a major leak of email and personal information earlier this year, Ledger customers are experiencing a surge in phishing attempts.

Phishing attempts and scams against Ledger wallet owners are on the increase with one such scam netting more than 1,150,000 XRP from its victims.

The scam used a phishing email that directed users to a fake version of the Ledger website that substituted a homoglyph in the URL — in this case a letter that looked like the letter ‘e’ but wasn’t. On the fake site, victims were fooled into downloading malware posing as a security update which drained the balance from their Ledger wallet.

According to community run fraud awareness site xrplorer, the XRP collected from the scam was sent to Bittrex across five deposits, but the exchange was “unable to seize [the XRP] in time.”

In a similar ongoing scam, a phishing email that appears to be sent from the official account for “Team Ripple” appeals to Ledger users by offering an XRP giveaway to “whitelisted addresses” as part of a “Community Support Program.” The registration process involves handing over your Ledger seed phrase or crypto private key in order to qualify for the non-existent program.

In an email to customers sent on Jul. 29th of this year, Ledger acknowledged that it had been the victim of a data breach in which close to a million email addresses were compromised, along with the personal details of a subset of 9,500 customers.

Although the vulnerability leading to the leak on the Ledger website was quickly patched, the damage had already been done, and scammers appear to be coming up with creative ways to use the addresses to trick Ledger users into giving up their coins.

The idea of crypto credential phishing via homoglyph-containing URLs is not new and scams employing this tactic have been targeting XRP holders across the course of the entire year, even before the email leak.

In 2018, scammers set up a fake Binance site, complete with an SSL certificate. However eagle eyed users noticed the ‘n’ had been replaced with a version that included an underdot (ṇ).

In March, creators of a fake Google Chrome extension for Ledger managed to steal 1.4 million XRP in less than a month.

Updated: 11-30-2020

Former Digital Head At Luxury Brand Group LVMH Takes Role At Ledger

Ian Rogers, newly appointed as a chief experience officer at Ledger, says digital assets are moving from “science fiction” to the mainstream.

The revolving door between traditional finance and the crypto space is well established. Now, executives from the luxury goods sector appear to be following in their steps.

Ian Rogers, formerly the chief digital officer at LMVH, is taking on a new role as “chief experience officer” at Ledger, the well-known French crypto hardware and software maker. LMVH was formed in 1987 from the merger of high fashion house Louis Vuitton and Moët Hennessy, which itself formed from a merger of champagne maker Moët & Chandon and cognac producer Hennessey, back in 1971.

The newly-created role of chief experience officer involves taking charge of business-to-consumer operations and “reinventing the user experience” of Ledger’s products.

In An Official Statement Rogers Gave An Insight Into How He Plans To Approach This New Role:

“I remember when you couldn’t simply say ‘go to my website’ […] You had to first explain the concept of the internet […] I love those moments when technology moves from science fiction to mainstream. Digital assets are standing on the verge of this move.”

Rogers further referred to the “inevitable transformation” from marginal, geek technology to mass product, and to the cryptocurrency “revolution” when speaking of Ledger and the nascent digital assets industry.

At LMVH, where he worked from 2015 onwards, Rogers’s work involved overhauling the e-commerce strategy at luxury brands and implementing new technologies, such as big data and AI, to help with this goal. Prior to his time at LMVH, he worked at Apple Music, Yahoo Music and Beats music, having begun his career as a website developer for the American band The Beastie Boys.

Cryptocurrencies have often been described as a finance “counterculture,” both in academic papers and the mainstream press, due to their origins in libertarian and cypherpunk movements. Now that their appeal has broadened, and their relationship to mainstream finance has become ever more intertwined, Ledger’s move to onboard luxury brand executives is, perhaps, not as surprising as it would have been in the industry’s earlier, more offbeat days.

Updated: 12-20-2020

Ledger Users Threaten Legal Action After Hacker Dumps Personal Data

A cybersecurity expert claimed the affected users would be targeted online and in person now that their personal information had been made public.

The hacker that breached hardware wallet provider Ledger’s marketing database earlier this year has released personal data for thousands of users, prompting many to threaten the firm with a class-action lawsuit.

According to a tweet from network security firm Hudson Rock’s Alon Gal, a hacker allegedly behind the breach of personal data from hardware wallet Ledger in June has made all the information they obtained available online. This reportedly includes 1,075,382 email addresses from users subscribed to the Ledger newsletter, and 272,853 hardware wallet orders with information including email addresses, physical addresses, and phone numbers.

“This leak holds major risk to the people affected by it,” said Gal. “Individuals who purchased a Ledger tend to have high net worth in cryptocurrencies and will now be subject to both cyber harassments as well as physical harassments in a larger scale than experienced before.”

In a response on Twitter, Ledger said “early signs” seemed to confirm that the released information was from the June data breach that compromised the personal data of many of its users. Following news of the hack, many Ledger users reported being targeted through phishing attempts. Some said they received convincing-looking emails asking them to download a new version of the Ledger software.

“We are continuously working with law enforcement to prosecute hackers and stop these scammers,” said Ledger. “We have taken down more than 170 phishing websites since the original breach.”

After experiencing months of reports on phishing attacks, many users were seemingly unsatisfied with Ledger’s response.

“If any lawyers want to start a class action suit, I’m sure many of us will jump on board,” said Twitter user Ryan Olah. “This has just gotten 10,000x worse now.”

Though someone’s tokens are most likely not in danger of being siphoned out of Ledger wallets, users could potentially compromise their own funds by falling for such phishing attempts sent to the affected emails or phone numbers. Many have reported that such attacks have been trying to trick them into giving up their seed phrases, prompting Ledger to reiterate:

“Never share the 24 words of your recovery phrase with anyone, even if they are pretending to be a representative of Ledger. Ledger will never ask you for them. Ledger will never contact you via text messages or phone call.”

However, some Ledger users pointed out that phishing attacks are just one possible threat they may face now that their physical addresses are public. People with a large amount of crypto holdings run the risk of being kidnapped and held until they give up their tokens, as was the case with Singaporean entrepreneur Mark Cheng in January.

“This is a serious breach and I am concerned that people now have our addresses,” said Twitter user Paul Smith. “What’s stopping them from knocking on our doors? Saying sorry, frankly, isn’t enough.”

Updated: 12-21-2020

Ledger Users Threaten Legal Action After Hacker Dumps Personal Data

A cybersecurity expert claimed the affected users would be targeted online and in person now that their personal information had been made public.

The hacker that breached hardware wallet provider Ledger’s marketing database earlier this year has released personal data for thousands of users, prompting many to threaten the firm with a class-action lawsuit.

According to a tweet from network security firm Hudson Rock’s Alon Gal, a hacker allegedly behind the breach of personal data from hardware wallet Ledger in June has made all the information they obtained available online.

This reportedly includes 1,075,382 email addresses from users subscribed to the Ledger newsletter, and 272,853 hardware wallet orders with information including email addresses, physical addresses, and phone numbers.

“This leak holds major risk to the people affected by it,” said Gal. “Individuals who purchased a Ledger tend to have high net worth in cryptocurrencies and will now be subject to both cyber harassments as well as physical harassments in a larger scale than experienced before.”

In a response on Twitter, Ledger said “early signs” seemed to confirm that the released information was from the June data breach that compromised the personal data of many of its users. Following news of the hack, many Ledger users reported being targeted through phishing attempts. Some said they received convincing-looking emails asking them to download a new version of the Ledger software.

“We are continuously working with law enforcement to prosecute hackers and stop these scammers,” said Ledger. “We have taken down more than 170 phishing websites since the original breach.”

After experiencing months of reports on phishing attacks, many users were seemingly unsatisfied with Ledger’s response.

“If any lawyers want to start a class action suit, I’m sure many of us will jump on board,” said Twitter user Ryan Olah. “This has just gotten 10,000x worse now.”

Though someone’s tokens are most likely not in danger of being siphoned out of Ledger wallets, users could potentially compromise their own funds by falling for such phishing attempts sent to the affected emails or phone numbers. Many have reported that such attacks have been trying to trick them into giving up their seed phrases, prompting Ledger to reiterate:

“Never share the 24 words of your recovery phrase with anyone, even if they are pretending to be a representative of Ledger. Ledger will never ask you for them. Ledger will never contact you via text messages or phone call.”

However, some Ledger users pointed out that phishing attacks are just one possible threat they may face now that their physical addresses are public. People with a large amount of crypto holdings run the risk of being kidnapped and held until they give up their tokens, as was the case with Singaporean entrepreneur Mark Cheng in January.

“This is a serious breach and I am concerned that people now have our addresses,” said Twitter user Paul Smith. “What’s stopping them from knocking on our doors? Saying sorry, frankly, isn’t enough.”

Updated: 12-21-2020

Doxxed Ledger Users In Danger Of Physical Harm

Ledger hardware wallet users might be in danger of physical attacks, with their addresses part of the user data dump by suspected hackers.

While users affected by the Ledger data dump are threatening legal action, some wallet owners might be at the risk of being visited by criminals. According to a Redditor named “u/relephants,” some users have begun receiving threatening emails demanding a $500 payment or else risk being attacked in their homes.

This development opens up another risk factor for Ledger users whose private information has been leaked by the hacker. Apart from home invasions, the affected Ledger owners also have to deal with phishing and SIM swapping exploits, among others.

Actual robberies connected to Bitcoin (BTC) are not uncommon, especially when the victim is known to be a holder of the popular cryptocurrency. Back in September 2019, a Norwegian millionaire was reportedly forced to jump from his second-floor balcony to escape armed robbers.

The Ledger data dump also offers in stark relief the dangers of centralized storage of customer data. Meanwhile, United States authorities are pushing for stricter Know Your Customer compliance for noncustodial wallet owners.

Updated: 12-23-2020

From SIM-Swaps To Home-Invasion Threats, Ledger Leak Has Cascading Consequences

As soon as he learned he was among the thousands of Ledger customers whose personal information had been published online Sunday, JimboChewdip, as he’s known on Twitter, acted fast. Not fast enough, however.

JCD, as we’ll call him, spent Monday morning changing his passwords, only to get a notification a new device had been added to one of his two-factor authentication (2FA) accounts. He then tried to log into his email. It was locked.

“Within minutes I started getting notifications about password changes on Coinbase, Binance, Dropbox,” he later told CoinDesk. “I tried to call T-Mobile over Wi-Fi but it wouldn’t work with the SIM disabled so I reached out to them on Twitter and got someone from Support to lock my account.”

At the same time, JCD posted a Twitter thread about the situation.

“By the time I got into my Coinbase Pro account and checked the balance, there had been a sale of the coins I held to bitcoin and one withdrawal of the entirety of my account,” he said. “No response from Coinbase support.” Around $2,000 worth of cryptocurrency was gone.

While he can’t prove the SIM-swap attack executed against him was tied to the Ledger leak, “the timing is certainly suspicious,” he said.

The data dump exposed for anyone to see 1 million email addresses and 272,000 names, mailing addresses and phone numbers belonging to people who had ordered Ledger’s devices, which store the private keys for cryptocurrency wallets. The number of people affected was much higher than the 9,500 the company estimated when it disclosed a hack in July.

The incident illustrates the tangible harm such leaks can inflict, the variety of ways people’s data can be used to compromise them and raises questions about how and if certain data should be retained at all. If someone gets into a centralized repository of sensitive information, it’s all there for the taking and subsequent leaking.

Hackers are taking advantage of the situation in a variety of ways, including using the data to pursue SIM-swap attacks like one carried out against JCD. Such an attack involves tricking employees of a telecommunications provider into porting the victim’s phone numbers to the attacker’s device.

This allows the attacker to use or bypass 2FA to access crypto wallets or social media profiles, for example.

Even more ominously, some users have received physical threats. In one instance, a user allegedly received an email from someone trying to extort their cryptocurrency by saying they were “not afraid to invade their home.”

Je Regrette

With the U.S. government and some top cybersecurity companies being breached by a months-long cyber-espionage campaign, governmental mandates for data retention may be due for reconsideration.

“Data breaches are extremely common. The only difference with this [Ledger] breach is that those affected are juicy high-value targets for spear phishers and con artists,” said Jameson Lopp, the chief technology officer (CTO) at crypto custody startup Casa. “As such, criminals will go to more extreme efforts than they would with other data breaches because the potential payout is much higher per targeted user.”

On Tuesday, Ledger, based in Paris, tweeted that “there has been a new wave of phishing attacks taking place since yesterday, threatening our users physically” and that victims should never pay the ransom.

In an interview, Ledger CEO Pascal Gauthier emphasized first and foremost how sorry he was the hack and the subsequent leak had occurred in the first place.

“I want to put an emphasis on how sorry we are because I think it’s important for our clients, to know that what affects them affects us,” he said.

He said the initial hack was, in part, a result of the company scaling so quickly and that he and incoming Chief Information Security Officer Matt Johnson would be announcing a new data policy and plan to further address the leaks in January.

Gauthier said the physical threats were likely phishing attempts and that the company was allegedly seeing those emails go out in multiple languages, meaning the likelihood someone would actually attempt to physically attack a user was slim.

“When it comes to crypto, it’s much cheaper and much easier to do a phishing attack from home than to attack someone at their home,” he said. “Attackers will go for the cheapest attacks, and phishing is definitely the cheapest attack before doing anything else.”

As other companies including rival hardware wallet maker CoinKite, seemingly in response to the leak, announced they would wipe user data after a certain period, Gauthier questioned the legality of such actions, given that tax requirements mandated some subset of user data be kept for 10 years, he said. (“We are compliant with Canadian regulation,” said a representative for Toronto-based CoinKite,)

Gauthier also noted that data breaches have been steadily increasing, and this is an issue that goes beyond Ledger.

“The problem of hacking and having your data leaked is not so much a question of if, it’s more a question of when,” he said.

‘Purge It ASAP’

Crypto trader Scott Melker put JCD in touch with Haseeb Awan, the CEO of Efani, a cybersecurity company focused on preventing SIM-swap attacks. Efani offers 11 layers of authentication when it comes to SIM cards, but every account has a minimum of seven authentication steps when a user wants to replace the SIM card.

Awan helped JCD secure his number and PIN in short order. If he hadn’t, said JCD, much “more damage could have been done.”

“With the Ledger hack, we’ve noticed at least a 10-times increase in our victim helpline call volume, and we anticipate it to keep on growing as the holiday approaches since there’ll be no support for the victims from their existing carriers,” said Awan. “Criminals generally attack after-hours or on holidays since victims are generally not paying attention to their phones and can’t access support due to holidays.”

Awan said the Ledger list is a honeypot of potential targets for criminals that’ll be used over the next few months for different types of attack. The most common ones will likely include cell phone SIM swaps or email compromises. Instances of identity theft or accessing someone’s physical address were a lower risk, he said.

Lopp said his biggest takeaway from the Ledger data dump was that “information wants to be free. It is fundamentally impossible to guarantee that any data you store won’t be leaked.”

The only foolproof way to prevent leaks is to not collect data in the first place, he said. The second-best option is to only hold data as long as it’s needed and automatically purge it once you are finished using it, something Gauthier said Ledger is looking into.

Lopp added that while holding email addresses for the long term for marketing purposes is completely understandable, holding the names, physical addresses and phone numbers of customers once a delivery was complete and the return window expired is harder to justify.

And it could have been worse: The leaked data was only from the past year or two of orders, not the whole order history dating back to 2014, when Ledger released its first product.

“Don’t collect what you can’t protect. Personal information should be treated like toxic waste,” said Lopp. “If you must collect some PII [personal identifiable information] for business purposes, purge it as quickly as possible to minimize the amount of data you have on hand at any point in time.”

Updated: 12-24-2020

Ledger Data Leak: A ‘Simple Mistake’ Exposed 270K Crypto Wallet Buyers

Ledger wallet users face mounting home invasion and other scareware threats as hacker dumps private customer information online.

The hacker likely responsible for Ledger’s security breach in July recently dumped a large amount of data exposing the personal information of over 270,000 customers, including phone numbers and physical addresses. The leak also included 1 million emails of Ledger wallet owners and customers that were signed up to the company’s newsletter service.

Amid the furor caused by the incident, Ledger says its focus is on improving its security infrastructure rather than reimbursing users for any losses that may occur. Meanwhile, some affected customers are reportedly considering taking legal action against the company in the form of a class-action lawsuit.

The Ledger customer data leak also offers fresh fodder for the debate against implementing more Know Your Customer compliance protocols, critics of which argue that such measures encourage targeted cyber attacks aimed at exposing critical personal data.

Over 270,000 Personal Account Details Compromised

As mentioned, the hacker presumably responsible for breaching the Ledger e-commerce database back in July dumped the personal information of thousands of affected users online.

The company was blamed on social media for not providing better protection of user data and downplaying the extent of the initial breach. At the time, the hardware wallet maker declared that only 9,500 customers were affected by the security breach.

Addressing the disparity in the reported number of people affected, Ledger issued a statement on Dec. 21 declaring that the leak covered more material than it was able to analyze earlier in the year.

However, the company affirmed that customer funds remained safe, adding: “This data breach has no link nor impact on our hardware wallets, the app or your funds. Your crypto assets are safe. While very truly and sincerely regrettable, this breach concerns only e-commerce related information.”

Responding to the incident via Twitter, Ledger CEO Pascal Gauthier remarked that the leak was indicative of the growing threat of cyberattacks. Appearing on the What Bitcoin Did podcast with Peter McCormack, Gauthier commented on the nature of the breach, stating that it was the result of a mistake in the company’s e-commerce stack.

“It’s a wrong API key that got coded on the map client to import the database from the store that got coded in the wrong placements and so, therefore, was coded where it should not have been coded and exposed the database to a simple attack,” explained Gauthier.

Amid the reactions to the leak, some cybersecurity experts highlighted that the incident was another pointer to the lack of encryption deployment by database administrators in storing user data. The Ledger CEO addressed the lack of encryption on the API keys, adding that it was an honest mistake and not a deliberate attempt to jeopardize customer safety by failing to hash API keys.

Commenting on the leak, Ruben Merre, CEO of hardware wallet maker NGRAVE, remarked that the incident was reflective of rapid growth among crypto firms coming at the expense of security considerations. He added: “So many online platforms get hacked, and not necessarily because of the hackers’ skill. Often, platforms just have bad security governance, let alone implementation.”

‘Scareware’ And Other Risk Factors

The data leak has triggered another round of phishing attacks as rogue actors, now armed with the emails of Ledger users, attempt to trick the wallet’s customers into revealing their 24-word seed phrase. Even before the data dump, such phony emails were a regular occurrence.

However, the exposure of phone numbers and personal addresses potentially opens up Ledger users to more risk factors.

Some users have reported attempted SIM swapping attacks on their numbers with the hacker presumably trying to compromise two-factor authorization protocols.

Crypto investors have been targets of SIM swap attacks in the past. Back in June, Richard Yuan Li was charged with conspiracy to commit wire fraud in connection with a series of SIM swap attacks that targeted over 20 individuals.

Apart from phishing and SIM swap exploits, the data leak also opens up the possibility of the risk factors moving beyond scareware into the realm of actual physical attacks. Indeed, some users affected by the incident claim to have received threatening messages asking for payments or risk possible home invasions.

The Ledger CEO has acknowledged the possibility of physical attacks as a result of the company’s oversight, and has also assured users that their hardware wallet devices contained several protective protocols to safeguard against the theft of funds.

Among these security measures is the use of incorrect pincode entries to format devices or a second password that displays a dummy account, leaving the owner’s actual funds safe from bad actors.

Additionally, the consensus among security experts on social media is that consumers should be using post office box addresses or other public pickup locations instead of their actual home addresses for sensitive items like a Ledger hard wallet.

For those with compromised phone numbers, the best line of action appears to be getting a new number and using a new email address to communicate the change to important contacts.

While affected customers continue to deal with the fallout of the leak, Ledger says it is working to prevent future occurrences. In a statement to Cointelegraph, the company stated:

“We are doing everything in our power to cease these attacks and avoid situations like this in the future. Ledger has a set of measures in place to protect our users from falling victims to phishing attacks. We have set up a webpage sharing the anatomy of phishing attacks so users can avoid falling for them and report any new attacks.”

Affected Users Threaten Legal Action

Some affected users began advocating for legal action against Ledger immediately following the reported leak. There is even a “Ledger wallet leak” subreddit on the Reddit platform, where users are discussing possible modalities for a class-action lawsuit.

With its headquarters in Paris, Ledger falls under the laws of the European Union. In November, the European Parliament adopted legislative amendments that will allow EU customers to institute class-action lawsuits against companies operating in the region within the next two years.

According to the ruling at the time, once passed into law, class-action lawsuits can be filed against companies operating in the EU for cases involving financial services, tourism and data protection, among others.

Ledger’s EU customers will require a qualified consumer protection body or some other recognized entity to represent the complainants. However, unlike U.S. laws, punitive damages from EU class-action lawsuits are restricted to the actual losses incurred by the class of plaintiffs.

Apart from customers filing a lawsuit against the company, the data leak might also constitute a breach of privacy in the eyes of European regulators, specifically under the EU General Data Protection Regulation. In such situations, the EU has the ability to fine Ledger up to 4% of its revenue.

Indeed, with the Ledger CEO having admitted to the company anonymizing user data improperly, the company could come under scrutiny from EU officials. Recital 26 of the GDPR mandates all companies to ensure complete removal of all the information that can identify users from their cache of stored or processed data.

Updated: 1-13-2021

Ledger Adds Bitcoin Bounty and New Data Security After Hack

Rogue actors at e-commerce partner Shopify exposed 20,000 new Ledger customer records, including emails, names, postal addresses and phone numbers.

Matt Johnson, Ledger’s new Chief Information Security Officer (CISO), had no choice but to hit the ground not just running but, well, sprinting. His first week of work entailed scrutinizing the fallout from an extensive data dump of customer information, among other areas such as data security and increased attacks that would come as a byproduct of bitcoin pumping.

In the aftermath of the largest hack in company history, and a little over a week after Johnson started, the hardware wallet company Ledger has announced its first measures to address the data breach and ensure such a hack doesn’t happen again.

These include working with blockchain analytics firm Chainalysis to hunt the hackers, offering a 10 BTC (+11.78%) bounty for information leading to the hacker’s arrest and creating a comprehensive review of what information the company holds onto, where it’s stored and how long it’s retained.

Simultaneously, Ledger revealed that because of rogue actors at e-commerce partner Shopify, 20,000 new customer records, including emails, names, postal addresses and phone numbers, along with what products were ordered, have been exposed.

The Ledger Hack

Ledger publicly revealed that customer information had been compromised in July 2020. At the time, the company estimated 9,500 customers had been affected by the hack. In the following months, CoinDesk documented a string of convincing phishing attempts executed by the hackers, including emails that mimicked official Ledger correspondence and text messages.

Then, in December 2020, a data dump “exposed 1 million email addresses and 272,000 names, mailing addresses and phone numbers belonging to people who had ordered Ledger’s devices, which store the private keys for cryptocurrency wallets,” as CoinDesk reported. The number of people affected was much higher than the original estimate of 9,500.

A rash of SIM swaps were reported in the days following the data dump and some customers started getting extortion emails, including threats of violence.

In an interview last December, Ledger CEO Pascal Gauthier told CoinDesk the initial hack was, in part, a result of the company scaling so quickly, and that he and incoming CISO Matt Johnson would be announcing a new data policy and plan to further address the leaks in January.

Now, Ledger has released new information about the hack, revealing that it was likely due, in part, to rogue actors at Shopify, its e-commerce partner at the time.

Shopify’s Rogue Agents

On Dec. 23, 2020, Ledger was notified by Shopify of an incident “involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported customer transactional records in April and June 2020,” according to a blog post.

Shopify told Ledger the data breach was part of its disclosure in September 2020, which involved over 200 merchants. Until Dec. 21, 2020, though, Shopify had not “discovered that Ledger was also targeted in this attack.” Shopify told Ledger it is continuing to investigate and that the issue had been reported to law enforcement.

In conjunction with forensic firm Orange Cyberdefense, Ledger examined the 292,000 stolen data records. It found that while the database is quite similar to the personal information exposed in the previous attack, there were 20,000 new customer records compromised.

The company said it notified customers who were affected on Jan. 13.

Ledger’s Data Security After The Hack

First and foremost, in a blog post, Ledger reiterated the company will never ask customers for their 24 recovery words, which can be used to access bitcoin and crypto wallets. They also stressed that as long as customers had not shared these words, their Ledger hardware devices were secure.

“We are announcing changes in the way Ledger will collect and handle customer data: keeping personal data for as short a time as legally possible, minimizing the display of personal data in emails, moving needed data in a further segregated environment as soon as possible, and creating a secure channel for communicating 1:1 with our customers via Ledger Live,” the authors, including new CISO Matt Johnson, wrote.

First, Ledger is changing the way it stores data. In an interview, Johnson said that while he would prefer not to have to hold user data at all, the company is legally obligated to do so for a period of time. But Ledger is looking to go beyond what privacy is required by the European Union’s General Protection Data Regulation, according to Johnson.

“By going beyond the GDPR, what we mean is not ‘holding data longer than GDPR requires’, but quite the opposite,” said Johnson. “Our goal is to delete data such as name, address, and phone number as soon as possible, even if we would be allowed to keep them under the GDPR. Some data, however, we will need to keep to fulfill our legal obligations such as accounting or tax requirements, and this data will be further segregated to limit its access.”

Delete, Delete, Delete

Moving forward, Ledger will delete data from its e-commerce partner as well as move customer data to a database that can’t be accessed from the internet as soon as your order is fulfilled, before deleting it as soon as they’re legally able.

The company will also be deleting names, addresses and phone numbers from confirmation emails sent to customers so that this data is not passed through third-party e-commerce email providers.

The email and social media will only be used for marketing messages and announcements, Ledger Live accounts are being set up to communicate technical and security information, seemingly to avoid instances of previous phishing scams, in which scammers encouraged Ledger users to download important security updates via genuine-looking emails.

Finally, Johnson will be doing a comprehensive review of third parties handling the data.

“I will be going through and doing an examination of every single one of our third parties that we have to share or have the transmission of the data with as part of the supply chain,” said Johnson in a Zoom call.

“We’ll be going through and looking at making sure that all of their processes are appropriate and rigorous, because if we’re entrusting our data to them, we need to be 100% sure that they are actually operating to the best of their capability to meet all of those minimal requirements, and preferably push them to go beyond that.”

A Bitcoin Bounty And Law Enforcement

Ledger is working with various law enforcement agencies as well as the blockchain analytics firm Chainalysis. It has even set up a bitcoin bounty for information related to those responsible for the hack.

“We’re running down leads so we can actually be able to recover, if that’s at all possible, stolen funds if it’s landing on exchanges,” said Johnson. “We want to make sure information is all being obtained in a legal way and shared directly with law enforcement agencies.

Johnson said Ledger wants to make sure all information gathering is done legally and “above board” with the goal of prosecuting the individuals responsible.

The blog post qualified the bitcoin bounty, stating that the BTC will be disbursed at the discretion of Ledger and will take a variety of factors into consideration. In echoing Johnson’s comments, these include whether the information has been obtained legally, whether it’s new, how substantial it is and how far it would go toward furthering the investigation and successful prosecution.

The company also hopes it can collaborate with other companies and individuals in the crypto industry to fund this bounty. It envisions a general purpose bounty fund, a sort of foundation to fight scamming and phishing attacks across the industry.

“We are actively trying to do things to protect and improve that ecosystem,” said Johnson.

Protecting Your Bitcoin Even When Recovery Phrase Is Shared

The Ledger engineering team is also developing a product that “will protect the funds of a user even if they had shared their recovery seed with an attacker.”

Jerôme De Tychey, Global Head of Client Success at Ledger, said in an email the majority of the phishing attacks rely on making the Ledger Nano owners reveal their 24-word phrase. Scammers seize on that opportune moment of panic where the owners believe their funds to be at risk. Remembering crucial safety measures at that moment is not always possible, especially when the scammers pose as Ledger support staff.

“We are acknowledging this problem and we will soon release a technical solution that will remove the 24 words as the single pillar of the security of our hardware wallets and will open the door to funds insurance as well,” said De Tychey in an email to CoinDesk

Moving ahead, how and when these changes are clarified and implemented will go a long way toward regaining users’ trust. But they represent a step forward for Ledger’s security in the aftermath of an extensive data breach, and just may work for the crypto community more generally. With bitcoin and other altcoins booming, the security around crypto tools and products is an iterative process.

“There are always these new avenues that people attempt to exploit,” said Johnson. “So we have to do that continual reassessment and ask what else we can do to make this even more secure than what it is today.

Ledger wallets haven’t been compromised, so they’re going after the human elements time and time and time again. So what else can we do? What else can we do to help protect the end customer? Because these are real people.”

Updated: 3-16-2016

Ledger Doubles Down On Institutional Crypto With New Business Unit And Hiring Push

Banks used to tell Ledger they wanted to do “blockchain, not bitcoin.” Not anymore.

Ledger, the brand most people associate with hardware wallets, is doubling down on institutional business with a new unit and an aggressive hiring plan.

Announced Tuesday, Ledger Enterprise Solutions will drive forth the firm’s institution-focused Ledger Vault, the first crypto custody technology to be publicly linked to a major bank in the form of Nomura and the Komainu consortium, which recently raised $25 million.

As large financial institutions look to enter the new realm of digital assets, a handful of specialized custody technology firms, such as Anchorage, BitGo, Fireblocks and Curv (recently acquired by PayPal), are hoovering up this hand-holding business. Meanwhile, large corporate entities are also joining the party, following the likes of Tesla and MicroStrategy.

“We took the decision to create an independent business unit with around 50-60 people, aiming to grow that to about 120 people by the end of the year,” said Ledger Vice President of Business Solutions Jean-Michel Pailhon, who is leading the new division. “The Leger Vault solution we created in 2018 has lived within the larger group, and now it needs to come into the light a little bit more.”

Joining Pailhon’s leadership team is newly appointed VP of Sales and Partnerships Alexandre Lemarchand. Beefing up things on the engineering side, Ledger Enterprise has hired former SIX Digital (SDX) developer Alex Zinder as VP of engineering and former Thales engineer Laurent Castillo as VP of technical architecture.

Ledger’s institutional custody tech clients include Komainu, Crypto.com, Uphold, Bank Frick, BitStamp and Nexo.

Komainu, a joint venture between Ledger, Nomura and CoinShares, went live in June after a two-year test period. Komainu’s recent $25 million seed round was led by hedge fund billionaire Alan Howard.

“We were a little ahead of the curve when we launched Komainu during a bearish market cycle, but that also gave us time to grow and develop and we have learned a lot,” Pailhon said in an interview.

Two or three years back, big banks would tell Ledger they wanted to do “blockchain and not bitcoin,” Pailhon said.

“The good news is that it’s now time for all the banks and institutional players to enter this market,” said Pailhon. “And guess what? Most of them are not equipped to build this from scratch and are looking for partners.”

Updated: 4-9-2021

Ledger Faces Class Action From Phishing Scam Victims

Ledger and Shopify are facing a class-action lawsuit over sensitive information regarding 270,000 of Ledger’s customers that was stolen by Shopify employees.

Ledger and Shopify have been hit by a class-action lawsuit over a major data breach that saw the personal data of 270,000 hard wallet customers stolen between April and June 2020.

Phishing scam victims John Chu and Edward Baton filed the lawsuit in California against the crypto wallet provider and its e-commerce partner Shopify on Tuesday.

The plaintiffs alleged that the firms “negligently allowed, recklessly ignored, and then intentionally sought to cover up” the data breach. The data was stolen when rogue employees of Shopify accessed the company’s e-commerce and marketing database for Ledger, with the hackers then selling the data on the dark web.

“Had Ledger acted responsibly during this period, much of that loss could have been avoided,” they claim.

The pair are seeking redress for the damages caused by the breach, requesting “all relief allowed by law, including injunctive relief.” Chu lost $267,000 worth of Bitcoin (BTC) and Ether (ETH), and Baton lost $75,000 worth of Stellar (XLM) in phishing scams that impersonated correspondence from the firms.

The data, spanning full names, email, phone numbers and shipping addresses, was eventually posted on the website RaidForums in late December. The lawsuit accuses Ledger in particular of failing to “individually notify every affected customer or admit to the full scope of the breach.”

“Ledger’s and Shopify’s misconduct has made targets of Ledger customers, with their identities known or available to every hacker in the world. Ledger’s persistently deficient response compounded the harm. In failing to individually notify every affected customer or admit to the full scope of the breach.”

While it has yet to be proven if the firm knew the full scope initially, it published a blog post in July 2020 stating that 9,500 users had their data leaked at the time.

Ledger fully acknowledged the data leak on Jan. 13 in a blog post that confirmed that access to its user database had been a result of the Shopify hack while announcing changes to how it stores data, communicates with customers, and it also offered a 10-BTC bounty fund for information leading to the successful arrest and prosecution of the hackers.

 

Ledger Live Now Supports, Ledger Live Now Supports,Ledger Live Now Supports, Ledger Live Now Supports,Ledger Live Now Supports, Ledger Live Now Supports,

 

Related Articles:

Bitcoin Information & Resources (#GotBitcoin?)

Artist Akon Loves BTC And Says, “It’s Controlled By The People” (#GotBitcoin?)

Miss Finland: Bitcoin’s Risk Keeps Most Women Away From Cryptocurrency (#GotBitcoin?)

Co-Founder Of LinkedIn Presents Crypto Rap Video: Hamilton Vs. Satoshi (#GotBitcoin?)

Crypto Insurance Market To Grow, Lloyd’s Of London And Aon To Lead (#GotBitcoin?)

No ‘AltSeason’ Until Bitcoin Breaks $20K, Says Hedge Fund Manager (#GotBitcoin?)

NSA Working To Develop Quantum-Resistant Cryptocurrency: Report (#GotBitcoin?)

Custody Provider Legacy Trust Launches Crypto Pension Plan (#GotBitcoin?)

Vaneck, SolidX To Offer Limited Bitcoin ETF For Institutions Via Exemption (#GotBitcoin?)

Russell Okung: From NFL Superstar To Bitcoin Educator In 2 Years (#GotBitcoin?)

Bitcoin Miners Made $14 Billion To Date Securing The Network (#GotBitcoin?)

Why Does Amazon Want To Hire Blockchain Experts For Its Ads Division?

Argentina’s Economy Is In A Technical Default (#GotBitcoin?)

Blockchain-Based Fractional Ownership Used To Sell High-End Art (#GotBitcoin?)

Portugal Tax Authority: Bitcoin Trading And Payments Are Tax-Free (#GotBitcoin?)

Bitcoin ‘Failed Safe Haven Test’ After 7% Drop, Peter Schiff Gloats (#GotBitcoin?)

Bitcoin Dev Reveals Multisig UI Teaser For Hardware Wallets, Full Nodes (#GotBitcoin?)

Bitcoin Price: $10K Holds For Now As 50% Of CME Futures Set To Expire (#GotBitcoin?)

Bitcoin Realized Market Cap Hits $100 Billion For The First Time (#GotBitcoin?)

Stablecoins Begin To Look Beyond The Dollar (#GotBitcoin?)

Bank Of England Governor: Libra-Like Currency Could Replace US Dollar (#GotBitcoin?)

Binance Reveals ‘Venus’ — Its Own Project To Rival Facebook’s Libra (#GotBitcoin?)

The Real Benefits Of Blockchain Are Here. They’re Being Ignored (#GotBitcoin?)

CommBank Develops Blockchain Market To Boost Biodiversity (#GotBitcoin?)

SEC Approves Blockchain Tech Startup Securitize To Record Stock Transfers (#GotBitcoin?)

SegWit Creator Introduces New Language For Bitcoin Smart Contracts (#GotBitcoin?)

You Can Now Earn Bitcoin Rewards For Postmates Purchases (#GotBitcoin?)

Bitcoin Price ‘Will Struggle’ In Big Financial Crisis, Says Investor (#GotBitcoin?)

Fidelity Charitable Received Over $100M In Crypto Donations Since 2015 (#GotBitcoin?)

Would Blockchain Better Protect User Data Than FaceApp? Experts Answer (#GotBitcoin?)

Just The Existence Of Bitcoin Impacts Monetary Policy (#GotBitcoin?)

What Are The Biggest Alleged Crypto Heists And How Much Was Stolen? (#GotBitcoin?)

IRS To Cryptocurrency Owners: Come Clean, Or Else!

Coinbase Accidentally Saves Unencrypted Passwords Of 3,420 Customers (#GotBitcoin?)

Bitcoin Is A ‘Chaos Hedge, Or Schmuck Insurance‘ (#GotBitcoin?)

Bakkt Announces September 23 Launch Of Futures And Custody

Coinbase CEO: Institutions Depositing $200-400M Into Crypto Per Week (#GotBitcoin?)

Researchers Find Monero Mining Malware That Hides From Task Manager (#GotBitcoin?)

Crypto Dusting Attack Affects Nearly 300,000 Addresses (#GotBitcoin?)

A Case For Bitcoin As Recession Hedge In A Diversified Investment Portfolio (#GotBitcoin?)

SEC Guidance Gives Ammo To Lawsuit Claiming XRP Is Unregistered Security (#GotBitcoin?)

15 Countries To Develop Crypto Transaction Tracking System: Report (#GotBitcoin?)

US Department Of Commerce Offering 6-Figure Salary To Crypto Expert (#GotBitcoin?)

Mastercard Is Building A Team To Develop Crypto, Wallet Projects (#GotBitcoin?)

Canadian Bitcoin Educator Scams The Scammer And Donates Proceeds (#GotBitcoin?)

Amazon Wants To Build A Blockchain For Ads, New Job Listing Shows (#GotBitcoin?)

Shield Bitcoin Wallets From Theft Via Time Delay (#GotBitcoin?)

Blockstream Launches Bitcoin Mining Farm With Fidelity As Early Customer (#GotBitcoin?)

Commerzbank Tests Blockchain Machine To Machine Payments With Daimler (#GotBitcoin?)

Bitcoin’s Historical Returns Look Very Attractive As Online Banks Lower Payouts On Savings Accounts (#GotBitcoin?)

Man Takes Bitcoin Miner Seller To Tribunal Over Electricity Bill And Wins (#GotBitcoin?)

Bitcoin’s Computing Power Sets Record As Over 100K New Miners Go Online (#GotBitcoin?)

Walmart Coin And Libra Perform Major Public Relations For Bitcoin (#GotBitcoin?)

Judge Says Buying Bitcoin Via Credit Card Not Necessarily A Cash Advance (#GotBitcoin?)

Poll: If You’re A Stockowner Or Crypto-Currency Holder. What Will You Do When The Recession Comes?

1 In 5 Crypto Holders Are Women, New Report Reveals (#GotBitcoin?)

Beating Bakkt, Ledgerx Is First To Launch ‘Physical’ Bitcoin Futures In Us (#GotBitcoin?)

Facebook Warns Investors That Libra Stablecoin May Never Launch (#GotBitcoin?)

Government Money Printing Is ‘Rocket Fuel’ For Bitcoin (#GotBitcoin?)

Bitcoin-Friendly Square Cash App Stock Price Up 56% In 2019 (#GotBitcoin?)

Safeway Shoppers Can Now Get Bitcoin Back As Change At 894 US Stores (#GotBitcoin?)

TD Ameritrade CEO: There’s ‘Heightened Interest Again’ With Bitcoin (#GotBitcoin?)

Venezuela Sets New Bitcoin Volume Record Thanks To 10,000,000% Inflation (#GotBitcoin?)

Newegg Adds Bitcoin Payment Option To 73 More Countries (#GotBitcoin?)

China’s Schizophrenic Relationship With Bitcoin (#GotBitcoin?)

More Companies Build Products Around Crypto Hardware Wallets (#GotBitcoin?)

Bakkt Is Scheduled To Start Testing Its Bitcoin Futures Contracts Today (#GotBitcoin?)

Bitcoin Network Now 8 Times More Powerful Than It Was At $20K Price (#GotBitcoin?)

Crypto Exchange BitMEX Under Investigation By CFTC: Bloomberg (#GotBitcoin?)

“Bitcoin An ‘Unstoppable Force,” Says US Congressman At Crypto Hearing (#GotBitcoin?)

Bitcoin Network Is Moving $3 Billion Daily, Up 210% Since April (#GotBitcoin?)

Cryptocurrency Startups Get Partial Green Light From Washington

Fundstrat’s Tom Lee: Bitcoin Pullback Is Healthy, Fewer Searches Аre Good (#GotBitcoin?)

Bitcoin Lightning Nodes Are Snatching Funds From Bad Actors (#GotBitcoin?)

The Provident Bank Now Offers Deposit Services For Crypto-Related Entities (#GotBitcoin?)

Bitcoin Could Help Stop News Censorship From Space (#GotBitcoin?)

US Sanctions On Iran Crypto Mining — Inevitable Or Impossible? (#GotBitcoin?)

US Lawmaker Reintroduces ‘Safe Harbor’ Crypto Tax Bill In Congress (#GotBitcoin?)

EU Central Bank Won’t Add Bitcoin To Reserves — Says It’s Not A Currency (#GotBitcoin?)

The Miami Dolphins Now Accept Bitcoin And Litecoin Crypt-Currency Payments (#GotBitcoin?)

Trump Bashes Bitcoin And Alt-Right Is Mad As Hell (#GotBitcoin?)

Goldman Sachs Ramps Up Development Of New Secret Crypto Project (#GotBitcoin?)

Blockchain And AI Bond, Explained (#GotBitcoin?)

Grayscale Bitcoin Trust Outperformed Indexes In First Half Of 2019 (#GotBitcoin?)

XRP Is The Worst Performing Major Crypto Of 2019 (GotBitcoin?)

Bitcoin Back Near $12K As BTC Shorters Lose $44 Million In One Morning (#GotBitcoin?)

As Deutsche Bank Axes 18K Jobs, Bitcoin Offers A ‘Plan ฿”: VanEck Exec (#GotBitcoin?)

Argentina Drives Global LocalBitcoins Volume To Highest Since November (#GotBitcoin?)

‘I Would Buy’ Bitcoin If Growth Continues — Investment Legend Mobius (#GotBitcoin?)

Lawmakers Push For New Bitcoin Rules (#GotBitcoin?)

Facebook’s Libra Is Bad For African Americans (#GotBitcoin?)

Crypto Firm Charity Announces Alliance To Support Feminine Health (#GotBitcoin?)

Canadian Startup Wants To Upgrade Millions Of ATMs To Sell Bitcoin (#GotBitcoin?)

Trump Says US ‘Should Match’ China’s Money Printing Game (#GotBitcoin?)

Casa Launches Lightning Node Mobile App For Bitcoin Newbies (#GotBitcoin?)

Bitcoin Rally Fuels Market In Crypto Derivatives (#GotBitcoin?)

World’s First Zero-Fiat ‘Bitcoin Bond’ Now Available On Bloomberg Terminal (#GotBitcoin?)

Buying Bitcoin Has Been Profitable 98.2% Of The Days Since Creation (#GotBitcoin?)

Another Crypto Exchange Receives License For Crypto Futures

From ‘Ponzi’ To ‘We’re Working On It’ — BIS Chief Reverses Stance On Crypto (#GotBitcoin?)

These Are The Cities Googling ‘Bitcoin’ As Interest Hits 17-Month High (#GotBitcoin?)

Venezuelan Explains How Bitcoin Saves His Family (#GotBitcoin?)

Quantum Computing Vs. Blockchain: Impact On Cryptography

This Fund Is Riding Bitcoin To Top (#GotBitcoin?)

Bitcoin’s Surge Leaves Smaller Digital Currencies In The Dust (#GotBitcoin?)

Bitcoin Exchange Hits $1 Trillion In Trading Volume (#GotBitcoin?)

Bitcoin Breaks $200 Billion Market Cap For The First Time In 17 Months (#GotBitcoin?)

You Can Now Make State Tax Payments In Bitcoin (#GotBitcoin?)

Religious Organizations Make Ideal Places To Mine Bitcoin (#GotBitcoin?)

Goldman Sacs And JP Morgan Chase Finally Concede To Crypto-Currencies (#GotBitcoin?)

Bitcoin Heading For Fifth Month Of Gains Despite Price Correction (#GotBitcoin?)

Breez Reveals Lightning-Powered Bitcoin Payments App For IPhone (#GotBitcoin?)

Big Four Auditing Firm PwC Releases Cryptocurrency Auditing Software (#GotBitcoin?)

Amazon-Owned Twitch Quietly Brings Back Bitcoin Payments (#GotBitcoin?)

JPMorgan Will Pilot ‘JPM Coin’ Stablecoin By End Of 2019: Report (#GotBitcoin?)

Is There A Big Short In Bitcoin? (#GotBitcoin?)

Coinbase Hit With Outage As Bitcoin Price Drops $1.8K In 15 Minutes

Samourai Wallet Releases Privacy-Enhancing CoinJoin Feature (#GotBitcoin?)

There Are Now More Than 5,000 Bitcoin ATMs Around The World (#GotBitcoin?)

You Can Now Get Bitcoin Rewards When Booking At Hotels.Com (#GotBitcoin?)

North America’s Largest Solar Bitcoin Mining Farm Coming To California (#GotBitcoin?)

Bitcoin On Track For Best Second Quarter Price Gain On Record (#GotBitcoin?)

Bitcoin Hash Rate Climbs To New Record High Boosting Network Security (#GotBitcoin?)

Bitcoin Exceeds 1Million Active Addresses While Coinbase Custodies $1.3B In Assets

Why Bitcoin’s Price Suddenly Surged Back $5K (#GotBitcoin?)

Zebpay Becomes First Exchange To Add Lightning Payments For All Users (#GotBitcoin?)

Coinbase’s New Customer Incentive: Interest Payments, With A Crypto Twist (#GotBitcoin?)

The Best Bitcoin Debit (Cashback) Cards Of 2019 (#GotBitcoin?)

Real Estate Brokerages Now Accepting Bitcoin (#GotBitcoin?)

Ernst & Young Introduces Tax Tool For Reporting Cryptocurrencies (#GotBitcoin?)

Recession Is Looming, or Not. Here’s How To Know (#GotBitcoin?)

How Will Bitcoin Behave During A Recession? (#GotBitcoin?)

Many U.S. Financial Officers Think a Recession Will Hit Next Year (#GotBitcoin?)

Definite Signs of An Imminent Recession (#GotBitcoin?)

What A Recession Could Mean for Women’s Unemployment (#GotBitcoin?)

Investors Run Out of Options As Bitcoin, Stocks, Bonds, Oil Cave To Recession Fears (#GotBitcoin?)

Goldman Is Looking To Reduce “Marcus” Lending Goal On Credit (Recession) Caution (#GotBitcoin?)

Our Facebook Page

Your Questions And Comments Are Greatly Appreciated.

Monty H. & Carolyn A.

Go back

Leave a Reply