Hardware wallet manufacturer Ledger was affected by another data leak. The incident occurred through third-party provider Global-e, a payment service provider for the company. Blockchain analyst ZachXBT made the security leak public and warned users of an increased phishing risk.
Global-e confirmed unauthorized access to personal data of Ledger customers, including names and contact information. However, the company did not disclose the exact number of affected users. In an initial statement, Ledger emphasized that its own infrastructure was not compromised. The security vulnerability affected exclusively Global-e's cloud systems. Recovery phrases, private keys, wallet balances, or payment information were not affected, as Global-e has no access to this sensitive data.
Subscribe to our newsletter
The best articles of the week, directly delivered into your mailbox.
Third-party provider risk in focus of security debate
The incident highlights the vulnerability of hardware wallet providers through external service providers. Global-e discovered the unusual activity in its network and immediately initiated countermeasures. The company engaged forensic experts to investigate the scope of the security leak. The analysis confirmed that attackers had accessed personal data.
Ledger uses Global-e as an e-commerce partner for processing international payments. This approach enables the hardware wallet manufacturer to serve customers in different regions, but creates dependencies. Outsourcing payment processes to specialized service providers is common in the industry. However, this creates an extended attack surface, as customer data is stored at multiple companies.
The compromised information – names and contact details – appears less critical at first glance than wallet access credentials. Security experts nevertheless warn of the consequences. The data enables targeted phishing campaigns where attackers pose as Ledger employees and could trick users into revealing their recovery phrases.
Escalating phishing risk following data leaks
The exposed data provides cybercriminals with a foundation for sophisticated social engineering attacks. Affected users must expect an increase in fraudulent emails. These are professionally designed and appear legitimate. Attackers use the fact that genuine customer data is available to build trust.
Ledger warned already after previous incidents that the company never asks for recovery phrases, passwords, or verification codes. This basic rule remains central to protecting digital assets. Users should classify any communication requesting entry of sensitive data as fraudulent – regardless of how authentic it appears.
Security researchers recommend affected users maintain heightened vigilance. This includes ignoring suspicious emails, not clicking links from unverified sources, and generally not scanning QR codes that request entry of recovery phrases. Additionally, users should activate two-factor authentication wherever possible.
History of recurring security incidents at Ledger
The current incident joins a series of data leaks that have affected Ledger in recent years. In July 2020, the most severe security leak to date occurred. Attackers gained access to the company's e-commerce and marketing database and compromised information from approximately 1.1 million email addresses as well as detailed data from 272,000 customers, including full names, telephone numbers, and residential addresses.
The stolen data was initially sold and publicly released in hacker forums in December 2020. This triggered a wave of phishing campaigns and extortion attempts. At that time, Ledger stated it had shut down 171 phishing websites within two months. But the consequences reached far beyond digital attacks. Criminals use exposed addresses of crypto holders for physical assaults – so-called "wrench attacks." In January 2025, perpetrators kidnapped Ledger co-founder David Balland and his wife from their home in France. The attackers demanded ransom in cryptocurrencies and severed one of Balland's fingers. French police freed the couple after several days of captivity. The incident demonstrates that data leaks at crypto companies can have life-threatening consequences.
In December 2020, another incident occurred through e-commerce service provider Shopify. There, corrupt employees illegally exported customer transaction data in April and June 2020. A class action lawsuit subsequently filed against Ledger and Shopify was dismissed by a California court in November 2021. In December 2023, attackers compromised Ledger's Connect Kit JavaScript library through a supply chain attack. During a brief window, nearly $500,000 was stolen from users who interacted with affected decentralized applications. This incident affected not only customer data for the first time, but led to direct financial losses.
Question of trust and industry standards
The recurring security incidents raise questions about the resilience of hardware wallet providers. Ledger consistently emphasizes that the actual hardware wallets and the private keys stored in them were not compromised. This separation between product security and company data is technically correct, but falls short.
The long-term consequences of data leaks manifest in ongoing phishing campaigns. Those affected by the 2020 leak report fraudulent contact attempts even years later. The data retains its value for criminals as long as the affected individuals hold cryptocurrencies.
For the industry, the question arises of appropriate security standards for third-party providers. Hardware wallet manufacturers must not only protect their own systems, but also ensure that partners implement comparable security measures. Outsourcing payment processes and marketing services creates dependencies that are difficult to control. Ledger users face the decision of whether to continue trusting the company. The hardware wallets themselves are still considered secure – provided users do not reveal their recovery phrases. The greater risk lies in the exposed identity as a crypto holder, which attackers can use for targeted campaigns.
