If you’re a Ledger user, you might find that you’re receiving more spam than ever. In this post, we’ll discuss the data dump of Ledger customers’ personal data following the Ledger hack in July 2020. Plus how to prevent yourself from being scammed when the hackers come after you.
In July 2020, Ledger revealed a data breach that exposed over a million customers’ emails. The breach was found during a bug bounty program and even though the Ledger fixed the issue immediately, unfortunately, it was too late.
As during this time, hackers manage to gain access to a database containing the personal contact details of Ledger’s e-commerce clients such as their email addresses, first and last names, home addresses and phone numbers.
At the time, Ledger reported that hackers had only stolen the personal data of 9,500 customers. However, unfortunately, this wasn’t quite correct. As since the breach, hackers have now published the hacked data and exposed phone numbers and home addresses of more than 270,000 Ledger users. Plus, more than a million customer email addresses.
Since the breach, there’s been a host of phishing attempts released to Ledger customers, and even some threats to customers demanding money or physical violence.
Although it’s unlikely that (due to the breach) hackers will be able to siphon tokens from your hardware wallet, you could compromise your own funds by falling for one of their many phishing attempts.
This isn’t just isolated to Ledger, Trezor has recently tweeted that’s there’s a malicious app in Google Play in an attempt to scam their users. Even though it looks legitimate and has 238 reviews this is not the official app.
Plus, Hugh Karp (founder of Nexus Mutual) also recently got hacked with a compromised version of MetaMask that tricked him into signing a transaction that redirected all his NXM tokens to an attacker-controlled address.
In light of all of this, how can you prevent yourself from being scammed?
Well, Ledger has created a handy page and article advising their users on what to look out for and some tips for stopping the scammers.
Stay calm and try not to panic. Panic is what hackers pray on by users making rash decisions. Be aware that your funds are safe as they are stored offline and the data breach under no circumstances affects the security of your device.
Never Share Recovery Phrase/Private Keys
Not just with Ledger, but in crypto anywhere, never share your recovery phrase or private keys, with anyone, ever. With access to this phrase, someone would have full control over your funds.
Strengthen Your Security
If your email has been compromised, change your password and make sure you use strong secure passwords. Also, enable 2-factor authentication wherever possible with products like Google Authenticator.
You can also add an extra layer of protection by adding a second back up like a pass phrase on your device.
Consider splitting up your recovery phrase into 3 sheets, to store in 3 different locations. Then bring these together to form your recovery phrase. Or arrange the recovery so that you can just bring just 2 together to form the recovery, incase 1 gets damaged or lost.
Never Pay Ransoms
As I mentioned there have been threats of violence to users with hackers claiming to have personal addresses etc. However scammers will always try the easiest possible way to steal money . Therefore will send out emails to a high number of customers without risking physical contact.
There also hasn’t been a report (that I’m aware of that anyone has been attacked). So these appear to just be scams. If you have large amounts of crypto on your device it’s advised to keep it away from your home. Just as you would if you had millions in cash instead.
Don’t Validate Transactions Unless You Authored Them
Don’t validate a transaction on your device, unless you are certain it was you. Scammers can get you to download a fake Ledger Live manager that could trigger a transaction on your Nano, which you must reject.
Only Interact with Ledger’s Official Channels
As part of one of the phishing attempts I’ve personally seen, emails were sent out with the domain that contained “Legder” as opposed to “Ledger.” These subtle mistakes are a sure-fire way to detect a scam.
Authentic Ledger domain names are:
With more spam and phishing emails ahead of Ledger customers, always expect the worse and assume it’s a phishing attempt. Never click on any links, or download and check out Ledger official social media channels such as;
Ongoing Phishing Campaigns
You can keep track of the ongoing Ledger phishing attacks or report it to Ledger support here.