France-based major crypto hardware wallet manufacturer Ledger confirmed that Shopify hackers obtained Ledger customer personal information in April and June 2020. (Updated at 14:01 UTC: updates throughout the entire text.)
“Along with forensic firm Orange Cyberdefense we were able to establish that it affects approximately 292,000 customers. While the database is 93% similar to those exposed in the previous attack there were approximately 20,000 new customer records including, email, name, postal address, product(s) ordered and phone number included in this breach,” the company said, adding that if you purchased a Ledger product after the end of June 2020, or if you purchased your product outside of Ledger.com, your data was not exposed in these incidents.
“On December 23rd, 2020 we received a notification from our e-commerce service provider, Shopify, regarding an incident involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s,” the company said on January 13, after completing forensics with Orange Cyberdefense.
According to them, Shopify claims that this is related to the incident reported in September 2020, which concerns more than 200 merchants, but until December 21st, 2020, Shopify had not discovered that Ledger was also targeted in this attack.
In May last year, Ledger denied claims that their databases have been compromised via a Shopify exploit. “We haven’t found any proof that this claim is legitimate,” they said back then.
Meanwhile, the company said today that they will “soon release a technical solution that will remove the 24 words as the single pillar of the security of our hardware wallets and will open the door to funds insurance for individual customers.”
In the meantime, they urged to “NEVER SHARE YOUR [SEED] 24 WORDS WITH ANYONE.”
Also, the company said that they notified the French Data Protection Authority on December 26th.
“We continue to work with Shopify and prosecutors on the case; an investigation is already underway, led by the FBI and the RCMP. Ledger also reported the events to the French Public Prosecutor and filed a complaint against the rogue agent(s),” they said, adding that they’re also hiring additional private investigation capacity.
Also, the company announced an initial BTC 10 (USD 346,173) bounty reserve for new information that woul help prosecute the attackers.
As for the next steps, Ledger said they’re “changing the way we handle this data, to go above and beyond GDPR principles”:
- “We aim to put your e-commerce order information such as name, address, phone number in a segregated environment three months after the shipping of your product.”
- “We will be deleting the name, address, and phone number from the order confirmation emails we send to you so this data does not pass through our ecommerce email provider.”
- “We will implement a messaging model where proactive important security and technical information will be solely conveyed through Ledger Live.”
Also, they promised to re-assess all their suppliers and partners.