A few months ago hardware wallet manufacturer Ledger announced that they had suffered a data breach and customer records were leaked (including physical addresses). At the time, the database containing these records wasn’t public but was being sold on the deep web for large sums of money (5 BTC+). Well, today that database was released publicly and now anyone in the world can view it for free.
Today we were alerted to the dump of the contents of a Ledger customer database on Raidforum. We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020.
December 20th 2020
597 Retweets1,381 Likes
There’s no sugar-coating this – it is a monumental failure from Ledger and a catastrophic breach of trust. Everyone who purchased a Ledger device from 2019 to the time of the breach has had their personal information leaked to the world (including their physical addresses!!!). This would normally be really bad no matter where this information came from but what makes this so much worse is that Ledger only sells one type of product – a hardware wallet for your cryptocurrency. So basically now the entire world knows where you live if you used your home address as your postal address when you bought a Ledger product and they know that you hold crypto.
To try and be a little more nuanced and positive about this I want to offer a maybe rather unpopular view here. If someone really wanted to target you and steal your crypto/hardware wallet, there are already numerous ways to obtain your home address. I recently found out that if you’re a registered voter in the U.S. then your home address is already of public record (in most states). On top of this, it’s trivially easy to get someone to give up their home address if you already have their phone number or email – just send them a well-crafted phishing email. Now, I’m not saying this to downplay the severity of the situation here or anything but I personally don’t think we’ll be seeing many actual $5 wrench attacks as a result of this leak (and I say this as a very public person who had all of his details leaked). Unfortunately though I do expect a lot of phishing emails and threats being sent to those exposed in the leak which is extremely unnerving!
Now to bring this all back to Ethereum and DeFi. As you all know, DeFi apps don’t require KYC and the only information you need to give them is your Ethereum wallet address (and sometimes they’ll ask for an email address but this is optional). This is obviously one of the major draws of DeFi as KYC is both unpopular for self-sovereign individuals and a liability for companies as the data is very personal data and if leaked, can lead to even worse consequences than the Ledger breach. For example, someone could steal your identity if they had scans of your passport and/or drivers license or they could potentially access one of your crypto exchange accounts.
Okay, so here’s what you can do to protect yourself now that your information is out there:
Make sure that you remove SMS 2FA from everywhere and use Google Authenticator or Authy instead
Make use of P.O. boxes instead of shipping things to your home address
Change your passwords or use a password manager like 1Password
Store your hardware wallet and seed phrase in a safe place (ideally completely separate to each other)
Be careful not to click on links in emails that you don’t recognize or remember subscribing to (even then, be extra vigilant)
Ignore all SMS messages from a contact claiming to be ‘Ledger’
Staying safe online doesn’t have to be a nightmare and can be relatively straight forward for most people who follow some basic hygiene steps such as the ones I’ve listed above. Stay safe out there everyone!
Have a great day everyone,
Join the Daily Gwei Ecosystem
All information presented above is for educational purposes only and should not be taken as investment advice.