In July 2020, Ledger - the company behind the highest selling series of crypto hardware wallets in history - made a startling realization.
Their marketing database had been accessed by hackers and stolen.
This article explains what happened that day and what happened after, what Ledger knew and when they knew it.
At the end, I will cover what you can do to prevent yourself from becoming a victim of similar hacks in the future.
below is a timeline of events that took place and Ledger’s response to each of them.
April to June 28, 2020, support team employees at Shopify (Ledger’s ecommerce service provider) exploit a misconfigured API key for Iterable (Ledger’s marketing software partner).
The employees obtain transaction data for anyone who had been emailed from around August 9th, 2018 until the end of June, 2020.
The database consists mostly of email addresses, but a subset also includes contact and order details like names, postal addresses, email addresses, and phone numbers.
A researcher participating in Ledger’s bounty program alerts the company to a potential data breach on their website.
Ledger immediately fixes the breach after receiving the researcher’s report and begins an internal investigation.
Ledger notifies the CNIL, the French Data Protection Authority, about the issue.
This three day delay in reporting aligns with article 33 of the EU General Data Protection Regulation (GDPR), which states that:
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55….Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”
Ledger partners with Orange Cyberdefense to conduct a thorough investigation of the potential damages of the data breach and identify other possible breaches.
Ledger receives an initial report from Orange Cyber Defense.
We do not know what is in this initial report.
After a detailed internal investigation by Ledger’s security team and Orange Cyberdefense, it is concluded that the e-commerce and marketing database was indeed breached.
By this date, all affected customers had been sent an email update regarding the situation.
Ledger also starts monitoring the internet for evidence of the database being sold, performs internal penetration testing, and advances an external penetration testing originally planned for September.
Shopify publishes a blog post entitled “Incident Update”, where they outline a hack they had just sustained.
“Recently, Shopify became aware of an incident involving the data of less than 200 merchants. We immediately launched an investigation to identify the issue–and impact–so we could take action and notify the affected merchants. Our investigation determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants. We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement. While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant.”
At this point, neither Shopify nor Ledger are aware that Ledger is one of the affected merchants of this hack or that Ledger’s breach is a smaller part of this one.
Ledger becomes aware that the contents of their e-commerce database from June 2020 had been dumped on Raidforum.
What’s worse - Ledger learns that the number of people who’s personal addresses had leaked was ~272,000 people (as opposed to the 9,500 they had initially reported).
Ledger sends an email to affected customers to acknowledge the data breach and subsequent dump.
It states:
We regret to inform you that you are part of the approximately 272 000 customers whose detailed personal information was accessed by the unauthorized third party. Specifically, your name and surname, and your postal address were exposed.
Ledger claims this information was not available in the logs that Ledger was able to analyze.
On this day, Shopify determines that Ledger’s breach was indeed part of its September 22, 2020 hack disclosure.
Shopify informs Ledger that Shopify employees were the ones responsible for the breach.
Ledger emails 292,000 customers with email entitled SECURITY NOTICE: Ledger included in Shopify database breach, to inform victims that Shopify was at fault for the breach.
You cannot control how the companies you buy from manage and protect your privacy.
But you can control how much and what kinds of data they have in the first place.
In the case of Ledger’s hack, much of the damage could have been avoided with some effort on the part of the customer.
Here are some tips on how to mitigate the damage from future similar hacks. I will use purchasing products at ledger.com as the example in all cases so you can see how you could have prevented being a victim of this attack.
This one is simple - if a company does not need to know something, don’t tell them.
For instance, if a field in an online form is optional, leave it blank.
Part of giving limited information also includes using single use passwords and even usernames. This is especially true when using email addresses as usernames.
The obvious benefit of single-use passwords is that if a hacker breaches the database of passwords, they only have access to this one account (since you aren’t using this password for any other accounts you have).
For this, you will probably want to use a password manager to both generate and store your unique passwords - it would be impossible to remember them all.
1Password is a very popular one.
But even more importantly for a hack like Ledger’s - we want a unique (or throwaway) email address so that our primary email address is not target in future attacks.
There are two ways to do this:
The cheapest and easiest is with Gmail, where you can create infinite email addresses with your existing email address just by appending the plus sign (+) and a string.
For instance, if you email address is
jerryjones@gmail.com
You can make a unique single use email address by using the following tweak to your existing address as the username to your ledger account (or your contact email when purchasing).
jerryjones+ledger@gmail.com
This will forward any email sent to the ‘+ledger’ email to your primary email address.
If Ledger ever sells your data to third parties and they email you, you will know since you will see they emailed jerryjones+ledger@gmail.com.
The issue is that saavy hackers and data purchasers know about this and can easily remove any +’s to hide where they got the data from.
So let’s talk about using Aliases
There is another, better option: Aliases
Aliases are fake names and identities used to hide your true identity.
And before you ask - No, you are not legally obligated to ever use your real name when purchasing products online.
“Using a fake name or address is not a crime on its own. 18 U.S.C. 1342 criminalizes the use of fictitious names or addresses (only when you have) intent of committing fraud or other criminal actions explicitly.” - Eisner Gorin, LLP
Using a service like MySudo, you can generate an alias with a
The app keeps all the texts and emails inside the app.
So you might choose the generic alias like “Mark Smith” and your email would be marksmith560@sudomail.com.
With this account you can even send and receive texts and make phone calls with a phone number of your choosing.
When you purchase at Ledger and make your account, you use the Alias for the name, email, and phone number fields.
That way, if/when Ledger gets hacked, they don’t have your real name or phone number or primary email address at all.
MySudo is not free, and there are cheaper ways to create aliases, but they require more work and are harder to manage, especially when you are dealing with hundreds of services.
Let’s take the alias thing a step further to get real protection from the biggest threat - physical address leaks.
Perhaps the biggest problem with the Ledger hack is that customers’ physical mailing addresses were leaked.
What makes a leak like this especially bad for Ledger customers is that attackers know these customers are self-storing potentially large sums of valuable digital coins.
…That’s the whole point of owning a Ledger device in the first place.
So what can we do?
We can use mailing addresses that are not the same as where we live.
There are two options here:
Most people are familiar with PO Boxes. They are dedicated boxes at post offices that you can receive mail at.
If a hacker knows your PO Box and they want to attack you and take your coins, they would need to stakeout the PO Box all day, every day until you show up and then try to attack you there or follow you home.
This would be very unlikely since they have no way of knowing how often you check your PO Box or how much money you are storing on your ledger.
However, if you are really paranoid, you could use a mail forwarding service.
Here’s how it works.
When you buy your Ledger, instead of putting your mailing address in the shipping form, you put the address of the forwarding company which you would have gotten when you set up the forwarding service.
Once the Ledger arrives at the forwarder’s receiving location, they then ship it to you.
Of course, there are also issues with this option.
What if the forwarder is hacked? Then an attacker would know your true address, and we are right back where we started.
Or are we?
You have to think about what the hacker of the forwarder knows vs what the hacker of ledger knows.
The hacker of the forwarder really doesn’t know much about what is being shipped to you, so there is some protection there.
And…mail forwarders are just going to be much less enticing targets for hackers in general because of this. The mail forwarder is just less likely to be a target of hackers in the first place.
But there is one final very paranoid thing would could do: mix both methods by using a mail forwarding company to forward the Ledger to our PO Box.
This would be expensive and time consuming, but it would probably be the safest.
Let’s talk about the last piece now: payments
This one should be pretty obvious since we are talking about a Bitcoin hardware wallet purchase.
Surely we can just use bitcoin!
At Ledger, yes, but not at many other online retailers (unless you use a purchasing service of some kind).
So what are the other options?
We have a few.
Pre-paid gift cards
You are likely very familiar with these already.
You go to a store that sells gift cards, grab a visa pre-paid card, and buy it with cash at the cashier.
Pretty simple and works on most online stores.
Virtual Cards
If you plan to do a lot of privacy-enhanced purchasing, you may opt to use virtual credit cards like those offered by privacy.com or (again) MySudo.
With these services, they generate a new credit card number for every purchase you want to make. You pre-fund them on their platform by using your credit card.
Once you are ready to make a purchase, you just input the credit card info they give you like any other purchase.
The issue with these is that they usually require very strict KYC which is not exactly private at all, but it can protect your real info from getting leaked to hackers like the ones who attacked Ledger.
If I had to rank all of these options from most to least private, I would say
Pre-paid cards are better than virtual cards because they are like using cash since there is no digital record tying it to your identity.
The Ledger crypto wallet hack teaches us a lot about how poor data handling can go wrong and what we can do to mitigate the damage it can cause.
This was was especially bad since it targeted people who are likely to be storing large sums of money themselves.
But…this should not surprise us. Ledger was likely targeted for this very purpose.
At the end of the day, we cannot and should not rely on the companies we buy from to protect our privacy because they will always disappoint.
Instead, we should take the steps necessary to protect ourselves from their poor processes so when they fail, we remain safe.
