Ledger said on Wednesday that its e-commerce database was hacked in late June, compromising about one million email addresses. No user funds were affected by the breach.
In a blog post, the French bitcoin hardware wallet company revealed that contact and order information for customers was also exposed.
Ledger added that, for a subset of 9,500 customers, details such as first and last name, postal address, and phone number were leaked. The hack, which targeted the firm’s marketing and e-commerce database, has since been patched, it said.
A researcher who participated in Ledger’s bug bounty program discovered the vulnerability and reported it on July 14. Ledger responded by fixing the problem, but not before realizing the vulnerability had already been exploited by an unauthorized third party on June 25.
Someone accessed the company’s marketing and e-commerce database – used to send order confirmations and promotional emails – using an API key that has since been deactivated. Payment information, passwords, and funds were not affected.
“This data breach has no link and no impact whatsoever with our hardware wallets nor Ledger Live security and your crypto assets, which are safe and have never been in peril,” Ledger detailed.
Ledger said it is “extremely regretful” for the breach. The company stated it filed a report with France’s Data Protection Authority, the CNIL, on July 17, and partnered with Orange Cyberdefense four days later “to assess the potential damages of the data breach and identify potential data breaches.”
Ledger is looking for evidence of the stolen data being sold on the internet, but nothing has been found so far. The firm warned users to be “always be mindful of phishing attempts by malicious scammers.”
What do you think of the Ledger data breach? Let us know in the comments section below.
Image Credits: Shutterstock, Pixabay, Wiki Commons