Hardware wallet manufacturer Ledger has disclosed the details of a vulnerability that allowed attackers to gain access to the personal information of about a million users.
On July 14, a third-party researcher who took part in the bounty program announced the vulnerability of the company. When investigating the problem, it turned out that on June 25, an unknown party gained access to a database containing emailы and postal addresses, names, phone numbers, and information about purchased Ledger products. The attackers obtained unauthorized access using the API key, which has already been deactivated by now.
The company assured that payment data, information about bank cards, and cryptocurrency accounts are not compromised and are safe. The developers noted that they fixed the vulnerability immediately after detection, and also apologized to their users.
In a Twitter thread, the company urged wallet owners to be careful about phishing attacks and not disclose the secret phrase to restore access.
This breach affected our customers’ contact details, mostly email addresses.
No payment information, no credentials, no crypto funds were concerned.
Your funds are safe and have not been compromised. You are the only in control of your crypto.
— Ledger (@Ledger) July 29, 2020
Recall that in early July, Kraken experts discovered vulnerabilities in the Ledger Nano X hardware wallets. Earlier, the developers of the ZenGo cryptocurrency wallet revealed a potential double-spending vulnerability identified in BRD and Edge products.