Hardware wallet manufacturer Ledger has suffered another massive data breach for the second time this year. The exposure of thousands of clients’ personal information has increased the threat of SIM swapping as an attack vector.
For the second time this year, personal data from Ledger wallet buyers has been dumped online. The leak was posted by several members of the crypto community who found files allegedly containing the ‘full database’ of Ledger customers containing emails, phone numbers, and even physical addresses.
Major data leak
Ledger published a statement on Twitter, claiming it was old data from the June 2020 server breach.
Today we were alerted to the dump of the contents of a Ledger customer database on Raidforum. We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020.
— Ledger (@Ledger) December 20, 2020
A wave of phishing attacks followed the breach from June. Ledger originally claimed that only around 9'500 users were affected, but it now turns out to be as many as 270'000. Industry researchers called it "unforgivable". Hasu, Writer for Deribit Insights, said that "you simply can’t sell hardware wallets and store the personal information of your customers on an online server." In order to make Ledger take physical security more seriously, he recommended cutting off business with them completely.
Analyst Larry Cermak, Director of Research for The Block, said this latest leak was "much much worse" than the last;
This Ledger leak is much much worse than I thought. Did some cross checks with people that have purchased Ledgers and the hit rate (anecdotally) is like 50%. The info includes home addresses as well as phone numbers.
— Larry Cermak (@lawmaster) December 20, 2020
There is also now an inherent danger that SIM swapping attacks will be used to target Ledger customers now that their phone numbers and addresses have been leaked.
What is SIM swapping and how to avoid it?
SIM swapping occurs when an attacker contacts the victim’s wireless/mobile carrier and is able to convince the call center employee that they are the victim using stolen personal data. With an arsenal of new data including email addresses, the phone number itself, and even physical addresses for Ledger users, this would be relatively easy to pull off for cybercriminals.
The attacker then asks the provider to activate a new SIM card connected to the victim’s phone number on a new phone in their possession. With this, they can access the 2FA security measures used by Ledger devices and crypto exchanges. What happens next is inevitable — an emptied hardware wallet.
Industry analyst Alex Krüger has warned of an impending wave of SIM swapping attacks following the Ledger leak. Since phone numbers were leaked and smartphones are normally used to authenticate transactions, the fallout could be devastating;
The personal data of 272,000 Ledger buyers has been leaked. If your data was compromised, make sure you are not using your number for 2FA anywhere. Change to a VoIP number, or GA. Alternatively, contact @haseeb a bitcoin OG whose company provides protection against sim swapping.
— Alex Krüger (@krugermacro) December 21, 2020
The U.S. Federal Trade Commission issued a warning and prevention guide which includes suggestions on limiting the sharing of personal information. However, when companies that are trusted with security cannot secure data themselves, what hope has the consumer got? As a number of Ledger users have painfully found out, crypto-assets can be easily stolen from hardware wallets. The victims are left to suffer alone when it happens as there is usually little-to-no recourse whatsoever from the manufacturers.
