As with any situation, there is both good and bad to be found. Based on information released by Ledger, the following make up each category.
- Despite the breach, Ledger indicates that no client financial information was accessed.
- Client funds/holdings are unaffected
- Roughly 1 million accounts affected
- Multiple data points accessed
- Contact information (names, phone numbers, postal addresses)
- Order details
This particular breach occurred when an unknown third party utilized an Application Programming Interface (API) key, to access Ledgers services. This breach occurred on June 25th, 2020, and was discovered on July 14th, 2020.
Data Breaches and Bounty Programs
In an age where data has become one of our most valuable assets, it is not surprising that year after year companies find themselves on the wrong end of a breach. Recognizing this, it has become a regular practice in the crypto community to offer incentives (bounty programs) for hackers and programmers to find weaknesses.
In the bounty programs, companies typically recruit researchers to intentionally ‘attack’ the company's networks and services. This is done with the purpose of discovering any weak-points and vulnerabilities before those with nefarious activity in mind can do so.
While the illegal breach took place in late-June, it wasn’t until mid-July that it was discovered by someone participating in a Ledger bounty program. As a result, without this program, the breach could have continued unnoticed, with the potential for repeated attempts in the future. In the instance discussed here today, involving Ledger, the merits of such bounty programs are proven.
As it stands, Ledger has deactivated the API key used to access information and implemented the necessary fixes to ensure that client information will not be exploited in this manner again.
Any breach of any kind is cause for concern. With this in mind, Ledger took the time to discuss this recent event, and put their clients' minds at ease.
“Regarding your ecommerce data, no payment information, no credentials (passwords), were concerned by this data breach. It solely affected our customers’ contact details.
This data breach has no link and no impact whatsoever with our hardware wallets nor Ledger Live security and your crypto assets, which are safe and have never been in peril. You are the only one in control and able to access this information.”
Since they first launched, Ledger products have gone from supporting a select few assets to more than 1000 at the time of writing. It is expected that as this trend continues, we will see Ledger bring support for digital securities as they grow in popularity. Ledger was one of the first companies of its kind to provide wallet services for digital securities when they formed an alliance with now-defunct digital security company Neufund.
With the digital securities sector beginning to pick up, it is only a matter of time before token holders are looking for safe storage of their assets – hopefully, Ledger will be there.
Founded in 2014, Ledger maintains operations in Paris, France. Above all, the team at Ledger works to serve the blockchain industry through the development of various storage and security solutions.
CEO, Pascal Gauthier, currently oversees company operations.