Ledger CTO discusses wallet’s safety after multiple security setbacks

Published at: Aug. 30, 2020

Ledger, one of the crypto industry’s most popular hardware wallet providers, has faced multiple difficulties in recent weeks, including a breach in the company’s customer contact database and a wallet vulnerability putting users’ Bitcoin (BTC) at risk. Are the recent events simply a summation of a few difficult weeks, or is a larger unraveling at play?

Charles Guillemet, the chief technology officer of Ledger, told Cointelegraph: “As far as the database breach, an attacker got access to a portion of our e-commerce and marketing database through a third party’s API key that was misconfigured on our website, which allowed unauthorized access to our customers’ contact details and order data.”

Ledger’s data breached

The breach dates back to June and July 2020. Ledger received a tip on July 14 mentioning the firm’s website and a possible associated weakness, as the report by Cointelegraph detailed. Although Ledger repaired the issue following the tip, the company discovered that someone had already exploited the weakness on June 25, leading to nearly 1 million leaked email addresses — with 9,500 affected customers seeing other private data leaked, such as their phone numbers and names.

Guillemet said Ledger repaired the issue and disabled the troublesome API key that same day. “In addition, no payment information, credentials (passwords) or crypto funds were impacted,” he added. “This data breach has no link nor impact on our hardware wallets and the Ledger Live application,” he explained. “Customer crypto assets have always been safe and are not in peril,” he said, crediting Ledger’s device makeup for its security, as it gives authority over funds back to the users.

Jake Yocom-Piatt, the project lead at cryptocurrency Decred, said he was not surprised by the incident, noting companies usually give less attention to their e-commerce database defenses. “When your core product is secure hardware, it is easy to forget that the security of your e-commerce software system is also important,” he told Cointelegraph, adding: “Many larger organizations view software security as a sunk cost because it falls outside their core product offering, so they cannot market it and extract profit.”

Wallets had a software vulnerability

Shortly following the data breach, Ledger device holders read about another difficulty surrounding their wallet of choice on Aug. 5, as a software vulnerability surfaced. The hole essentially provided a bridge between Bitcoin and its various forks, such as Litecoin (LTC). Harnessing the flaw, attackers could make a transaction seem associated with one asset, while confirming the transaction on the device would approve a separate transaction for a different asset — unbeknownst to the wallet owner.

Ledger issued a software update the same day, correcting the issue. On Aug. 26, when asked for additional comments, a Ledger public relations representative pointed toward an explanation of the situation on the company’s blog posted on Aug. 5, which explained that a bounty hunter found the vulnerability, leading to Ledger’s mentioned update in response. “We’d like to assure you that this vulnerability cannot be used to obtain sensitive data like your private keys or recovery phrase,” Ledger clarified in the write-up.

Ledger wallets still effective

Despite the recent difficulties, Ledger wallets remain a popular option for crypto storage. “Ledger and other hardware wallets are a major security upgrade for the average cryptocurrency user because it prevents remote access attacks — e.g., keylogging — from succeeding,” Yocom-Piatt said, adding:

“However, the protection against remote theft that comes with a hardware wallet is typically paired with a distinct decrease in privacy since the hardware wallet supplier can see exactly which coins a wallet controls.”

Twitter user CryptoGainz tweeted out difficulties he faced when working with his Ledger wallets on Aug. 13, citing unreliable software. Although the comment came shortly after the Aug. 5 vulnerability issue, the situation proved unrelated, with CryptoGainz still expressing faith in the wallet company as a crypto storage option.

Related: Uniswap and automated market makers, explained

“They’re a safe way to store crypto, they just suck for trading via metamask on Uniswap,” CryptoGainz told Cointelegraph in a Twitter DM chat, citing an online wallet provider/decentralized application avenue and the latest decentralized exchange trading craze, Uniswap.

Ledger customer protection

Although Ledger’s wallets provide parameters for enhanced security, users still must know best practices and tactics for the protection of their assets. “We’re most worried about phishing attempts — emails from scammers pretending to be us,” Guillemet explained.

A phishing scam occurs when a malicious party sends an email, or another form of communication, disguising itself as a different person or company in an attempt to gain private information from the target. “We’ll never ask our clients for the 24 words of their recovery phrase,” Guillemet said, urging customers to harness two-factor authentication, while also pointing toward educational information on security found on Ledger’s website.

Aside from phishing attacks, Ledger holds safeguards against malware. “Ledger devices are designed to protect users’ funds against malware on users’ computers, including fake Ledger Live applications,” Guillemet explained, referencing Ledger’s desktop application for interacting with wallet devices. He specified that users should make sure to get the app from Ledger’s official online site or app store.

Yocom-Piatt also spoke on protection against company data breaches, such as the one Ledger suffered. “Since e-commerce systems typically have weak security, I recommend that users ordering these devices have them sent to an address that is not their primary residence,” he said.

Using a different physical address shields customers from exposure of their residence, should such a breach occur, helping guard against potential in-person Ledger wallet device theft. “Also, when possible, you should avoid using the wallet software supplied by the hardware wallet vendor to maximize your privacy,” he added.

Self-custody over assets is a major selling point in the crypto industry, although it requires knowledge and technical prowess. The complexity involved might explain the push for mainstream crypto trading products, such as exchange-traded funds in which companies custody assets for investors.

Tags
Related Posts
Hardware crypto wallet sales increase as centralized exchanges scramble
Blockchain analysis firm Glassnode recently characterized the 2022 bear market as the worst on record. This seems to be the case due to events such as the war in Ukraine and rising inflation, coupled with serious problems among centralized crypto exchanges. Yet, the bear market hasn’t negatively impacted all players in the crypto ecosystem. Hardware wallet providers seem to be benefiting from the massive amount of crypto withdrawals from centralized exchanges. Pascal Gauthier, CEO of hardware wallet crypto firm Ledger, told Cointelegraph that the company’s revenue dropped about 90% during the 2018 crypto winter, but this hasn’t been the case …
Decentralization / July 6, 2022
Secure Bitcoin self-custody: Balancing safety and ease of use
Bitcoin’s supply is capped at 21 million, but a significant proportion of that total sum is likely lost forever. This situation is due to a variety of reasons such as lost private keys and discarded storage devices containing substantial amounts of Bitcoin (BTC). When Bitcoin owners are not being careless with their wallet passwords, they can sometimes be targeted by hackers looking to steal their precious crypto. Those who utilize third-party custodial solutions place their Bitcoin fortune at the mercy of the security protocols adopted by such services. Indeed, several attack vectors are constantly being utilized to try and gain …
Technology / Jan. 17, 2021
Ledger users threaten legal action after hacker dumps personal data
The hacker that breached hardware wallet provider Ledger’s marketing database earlier this year has released personal data for thousands of users, prompting many to threaten the firm with a class-action lawsuit. According to a tweet from network security firm Hudson Rock's Alon Gal, a hacker allegedly behind the breach of personal data from hardware wallet Ledger in June has made all the information they obtained available online. This reportedly includes 1,075,382 email addresses from users subscribed to the Ledger newsletter, and 272,853 hardware wallet orders with information including email addresses, physical addresses, and phone numbers. ALERT: Threat actor just dumped …
Technology / Dec. 20, 2020
Kraken Discovers Potential Attacks Against Ledger Wallets, User Funds Unaffected
Kraken Security Labs, the cybersecurity division of US-based cryptocurrency exchange Kraken, has identified new potential attacks against popular hardware wallet Ledger. These attacks can affect Ledger Nano X wallets if they execute prior to the user receiving the wallet, if a wallet was intercepted during shipment or obtained from a malicious reseller, Kraken noted. This leaves the attackers theoretically capable of controlling computers connected to Ledger wallets and running malware on them. Thankfully it stayed theoretical — the issue was repaired. Had the matter gone unaddressed, then we’d start hearing about “Bad Ledger attacks” and “Blind Ledger attacks.” The first …
Technology / July 8, 2020
Crypto Security Company Ledger Releases Bluetooth-Enabled Hardware Wallet
Cryptocurrency hardware wallet firm Ledger has unveiled a new Bluetooth-based wallet today, Jan. 7, according to a press release shared with Cointelegraph. The wallet, called the Ledger Nano X, was shown at the CES 2019 conference in Las Vegas. At the same time, the firm has announced mobile app set to go live on Jan. 28, allowing its users to manage their transactions and check their balances from a mobile device. The Ledger Nano X will have the capacity to store 100 crypto assets. At the end of November, Ledger Nano S had begun to support altcoin Monero (XMR). In …
Bitcoin / Jan. 7, 2019