Ledger is getting shamed with its poor ability to communicate and reassure its customers in light of recent data leaks

in #cryptocurrency4 years ago

Ledger-Hack-678x381.png

 

Further to the article highlighting that over a million of leaked Ledger data is at this point getting distributed for freely and consequently many customers are getting bombarded with scam attempts, leading to the public relations tanking immensely since the public leak. One of the aspects that personally is of frustration as an affected customer, is of Ledger's poor communication surrounding the situation with a lack of any reassurance and perhaps some concrete steps that one can do in light of the hack.

  • On 20th of December 2020 when the hacked data back from July of 2020 has depreciated so much in value that the scammers have decided to dump the data publicly for free, one thing has became clear and it was that Ledger has vastly underestimated the amount of customers which personal data including phone number, email, full address & name were compromised with what was believed to be around 10,000 customers became over 270,000 customers.
  • The matter was clearer for some affected customers like me, who had never been communicated to about the data breach prior to December of 2020, however were receiving countless scam emails & SMS crafted around the Ledger content.
  • On 21th December Ledger has posted a blog admitting that only once the public leak has came to light it became clear that the scope of the hack was much bigger and that if you were part of this list you should receive an email coming from Ledger in the next 24 hours.
  • The email communication from official Ledger email has reportedly ended up in Spam folders for most of its customers, having to navigate through the dozens of scam emails from that day to find the correct one which states the following:

Dear client,

We contacted you last July to tell you that part of our e-commerce marketing database had been leaked.

Yesterday we were informed about the dump of the content of a Ledger customer database on Raidforum. We are still investigating, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020.
At the time of the incident, in July, we engaged an external security organisation to conduct a forensic review of the logs available. This review of the logs enabled us to confirm that approximately 1 million had been stolen as well as 9,532 more detailed personal information (postal addresses, name, surname and phone number). The database publicly released yesterday shows that a larger subset of more detailed information has been leaked, approximately 272,000 detailed information such as postal address, last name, first name and telephone number of our customers. We have previously written an FAQ for this purpose, which has since been updated.

We regret to inform you that you are part of the approximately 272 000 customers whose detailed personal information was accessed by the unauthorized third party. Specifically, your name and surname, and your postal address were exposed.

This data breach is not linked to our hardware wallets’ security and your cryptocurrency funds are safe. Due to our detailed security measures, attackers cannot steal your sensitive information like your recovery phrase and private keys. You are the only one in control and able to access this information.

We deeply apologize for this security breach and are working with law enforcement to undergo an investigation

Sincerely,
Pascal Gauthier
CEO, Ledger

  • Frankly, the only positive I see from the email is the reassurance of the hardware wallets security and that the funds are currently safe. Other than that, it begins to state that as a client I've been contacted last July and been informed about the data breach which clearly has not been the case and this was the first email I've received from Ledger since being asked to rate the purchase which is the first point of annoyance in the recent communication.
  • Other than being informed about the hack & data leak, being deeply apologized and told that the company has self-referred itself to law enforcement to undergo an investigation, are there really no further steps which Ledger could've communicated with for its most affected customers ?
  • This is where Kraken comes to shame Ledger, with its Security experts quick to get their hands on the leaked data and crunch the data to find all the affected emails which are currently also customers of Kraken to receive one of the best piece of advice I've seen so far in regards to the recent hacks, with the following being communicated:

Hi $name$,

You are receiving this email because Kraken Security has analyzed the data in the Ledger breach from July 2020* and we have identified that some of your information may have recently been exposed by the attackers.

The exposed data contains email addresses for 1 million newsletter subscribers and personal information (including email addresses, full names, phone numbers, and postal addresses) for 272,000 Ledger customers.

It is possible that you will receive increased attacks against your personal email address and phone number. If you ordered a product from Ledger, it is possible, though unlikely, that your physical address could be targeted as well.

What You Should Do to Protect Yourself

 

  • Due to the nature of the Ledger breach you should be on the lookout for social engineering and phishing attacks targeting you specifically.

    • These attacks will likely come in the form of an email, text message or phone call pretending to be an exchange (e.g. Kraken) or another service (e.g. Ledger).

    • The attackers will likely try to get you to click on a link, respond to a request or install malicious software.

  • Please use extra caution and read all communication multiple times. Be sure to check the sender and triple-check links before visiting and/or entering any information including usernames and passwords.

  • Ensure you have Sign-in 2FA, ideally a YubiKey, on your Kraken account and any other online accounts that may be of interest to these attackers including your personal email account and other financial-related accounts.

  • Contact your mobile phone carrier and put a lock on your SIM so it can’t be ported to another phone (e.g. SIM swap attack).

  • Update the email associated with your Kraken account. To do this, sign in to your account, navigate to Settings > Account, enter your new email, and confirm the change with the codes that will be sent to both your old and new email addresses. Visit our Support Center for more information about email changes.

  • For more information on securing your account and digital life, visit our Support Center.

As always, we are committed to your security and want to make efforts to help our clients proactively protect themselves from potential malicious attacks.

If you have any questions or concerns, please do not hesitate to reach out to us at [email protected].

The Kraken Team

  • With that, I do strongly believe that if Ledger was to take a similar approach to Kraken and communicate to its customers with not only the fact that sh*t has happened, but some concrete steps that can be taken to secure themselves going forward there would be much less paranoid Ledger customers going into the Christmas, which clearly from the trends on Reddit and Twitter still appears to be a hot topic bothering a lot of people.

 

 

Related Reading
Ongoing crypto free earn campaigns:
Other crypto gateways:

Most popular & rewarding exchanges currently include SwissborgBinanceCoinbaseCelsius & Crypto.com

 

Resources:

 

This article was originally posted on publish0x