As soon as he learned he was among the thousands of Ledger customers whose personal information had been published online Sunday, JimboChewdip, as he’s known on Twitter, acted fast. Not fast enough, however.
JCD, as we’ll call him, spent Monday morning changing his passwords, only to get a notification a new device had been added to one of his two-factor authentication (2FA) accounts. He then tried to log into his email. It was locked.
“Within minutes I started getting notifications about password changes on Coinbase, Binance, Dropbox,” he later told CryptoX. “I tried to call T-Mobile over Wi-Fi but it wouldn’t work with the SIM disabled so I reached out to them on Twitter and got someone from Support to lock my account.”
At the same time, JCD posted a Twitter thread about the situation.
“By the time I got into my Coinbase Pro account and checked the balance, there had been a sale of the coins I held to bitcoin and one withdrawal of the entirety of my account,” he said. “No response from Coinbase support.” Around $2,000 worth of cryptocurrency was gone.
While he can’t prove the SIM-swap attack executed against him was tied to the Ledger leak, “the timing is certainly suspicious,” he said.
The data dump exposed for anyone to see 1 million email addresses and 272,000 names, mailing addresses and phone numbers belonging to people who had ordered Ledger’s devices, which store the private keys for cryptocurrency wallets. The number of people affected was much higher than the 9,500 the company estimated when it disclosed a hack in July.
The incident illustrates the tangible harm such leaks can inflict, the variety of ways people’s data can be used to compromise them and raises questions about how and if certain data should be retained at all. If someone gets into a centralized repository of sensitive information, it’s all there for the taking and subsequent leaking.
Hackers are taking advantage of the situation in a variety of ways, including using the data to pursue SIM-swap attacks like one carried out against JCD. Such an attack involves tricking employees of a telecommunications provider into porting the victim’s phone numbers to the attacker’s device. This allows the attacker to use or bypass 2FA to access crypto wallets or social media profiles, for example.
Even more ominously, some users have received physical threats. In one instance, a user allegedly received an email from someone trying to extort their cryptocurrency by saying they were “not afraid to invade their home.”
Je regrette
With the U.S. government and some top cybersecurity companies being breached by a months-long cyber-espionage campaign, governmental mandates for data retention may be due for reconsideration.
“Data breaches are extremely common. The only difference with this [Ledger] breach is that those affected are juicy high-value targets for spear phishers and con artists,” said Jameson Lopp, the chief technology officer (CTO) at crypto custody startup Casa. “As such, criminals will go to more extreme efforts than they would with other data breaches because the potential payout is much higher per targeted user.”
On Tuesday, Ledger, based in Paris, tweeted that “there has been a new wave of phishing attacks taking place since yesterday, threatening our users physically” and that victims should never pay the ransom.
In an interview, Ledger CEO Pascal Gauthier emphasized first and foremost how sorry he was the hack and the subsequent leak had occurred in the first place.
“I want to put an emphasis on how sorry we are because I think it’s important for our clients, to know that what affects them affects us,” he said.
He said the initial hack was, in part, a result of the company scaling so quickly and that he and incoming Chief Information Security Officer Matt Johnson would be announcing a new data policy and plan to further address the leaks in January.
Gauthier said the physical threats were likely phishing attempts and that the company was allegedly seeing those emails go out in multiple languages, meaning the likelihood someone would actually attempt to physically attack a user was slim.
“When it comes to crypto, it’s much cheaper and much easier to do a phishing attack from home than to attack someone at their home,” he said. “Attackers will go for the cheapest attacks, and phishing is definitely the cheapest attack before doing anything else.”
As other companies including rival hardware wallet maker CoinKite, seemingly in response to the leak, announced they would wipe user data after a certain period, Gauthier questioned the legality of such actions, given that tax requirements mandated some subset of user data be kept for 10 years, he said. (“We are compliant with Canadian regulation,” said a representative for Toronto-based CoinKite,)
Gauthier also noted that data breaches have been steadily increasing, and this is an issue that goes beyond Ledger.
“The problem of hacking and having your data leaked is not so much a question of if, it’s more a question of when,” he said.
‘Purge it ASAP’
Crypto trader Scott Melker put JCD in touch with Haseeb Awan, the CEO of Efani, a cybersecurity company focused on preventing SIM-swap attacks. Efani offers 11 layers of authentication when it comes to SIM cards, but every account has a minimum of seven authentication steps when a user wants to replace the SIM card.
Awan helped JCD secure his number and PIN in short order. If he hadn’t, said JCD, much “more damage could have been done.”
“With the Ledger hack, we’ve noticed at least a 10-times increase in our victim helpline call volume, and we anticipate it to keep on growing as the holiday approaches since there’ll be no support for the victims from their existing carriers,” said Awan. “Criminals generally attack after-hours or on holidays since victims are generally not paying attention to their phones and can’t access support due to holidays.”
Awan said the Ledger list is a honeypot of potential targets for criminals that’ll be used over the next few months for different types of attack. The most common ones will likely include cell phone SIM swaps or email compromises. Instances of identity theft or accessing someone’s physical address were a lower risk, he said.
Lopp said his biggest takeaway from the Ledger data dump was that “information wants to be free. It is fundamentally impossible to guarantee that any data you store won’t be leaked.”
The only foolproof way to prevent leaks is to not collect data in the first place, he said. The second-best option is to only hold data as long as it’s needed and automatically purge it once you are finished using it, something Gauthier said Ledger is looking into.
Lopp added that while holding email addresses for the long term for marketing purposes is completely understandable, holding the names, physical addresses and phone numbers of customers once a delivery was complete and the return window expired is harder to justify.
And it could have been worse: The leaked data was only from the past year or two of orders, not the whole order history dating back to 2014, when Ledger released its first product.
“Don’t collect what you can’t protect. Personal information should be treated like toxic waste,” said Lopp. “If you must collect some PII [personal identifiable information] for business purposes, purge it as quickly as possible to minimize the amount of data you have on hand at any point in time.”
UPDATE (Dec. 24, 1:20 UTC): Added comment from a rival hardware wallet maker.