On the 14th of July 2020, a computer researcher that participated in our bug bounty program notified us of a potential data breach on the Ledger website. We immediately fixed the breach after receiving the researcher’s report and undertook an internal and external investigation of the situation. While conducting the investigation, we discovered an unauthorized third party had gained access to customer information.
What personal information was involved?
Contact and order details were involved. This is mostly the email address of our customers. Further to investigating the situation we have also been able to establish that, for a subset of customers were also exposed: first and last name, postal address, phone number and ordered products. Due to the scope of this breach and our commitment to our customers, we have decided to inform all of our customers about this situation.
Payment information, credentials (passwords) or crypto funds are not impacted by this data breach. This data breach has no link nor impact on our hardware wallets and the Ledger Live application. Your crypto assets are safe and are not in peril.
What we have done, what we are doing
We have taken immediate action on 14th of July 2020, to resolve the data breach.
On the 17th of July, we notified the CNIL — the French Data Protection Authority — about this data breach and are continuing to work with authorities throughout the legal process.
We are continuously monitoring for evidence of our customers’ contact details being disclosed on the internet, and have found none thus far. We also performed an internal penetration test.
We are currently in the process of filing a complaint before the French public prosecutor regarding the unauthorized access and we will support law enforcement investigation.
We are extremely regretful for this incident. We take privacy very seriously, and we sincerely apologize for the inconvenience this matter may cause you.
What you can do
We recommend you exercise caution — always be mindful of phishing attempts by malicious scammers.
As a reminder, Ledger will never ask you for the 24 words of your recovery phrase. If you receive an email that looks like it came from Ledger asking for your 24 words, you should definitely consider it a phishing attempt.
We suggest you visit Ledger Academy security section to educate yourself on general security principles and more precisely our article about phishing attacks.
Pascal Gauthier, Ledger CEO
For more information