If you bought from Ledger directly, yet another data breach. Consequently, I wouldn’t trust their hardware wallets because they’re not completely opensource, and they have a poor history of protecting data. And it was interesting that instead of tightening up their own products, they had funded a security team looking for vulnerabilities in other hardware wallets, to cast shade on competitors it would seem. Though, users benefited as a lot of hardware wallets improved their security as a result, with many better platforms than Ledger to choose from.
By Bill Toulas
Ledger is informing some customers that their personal data has been exposed after hackers breached the systems of third-party payment processor Global-e.
In a statement for BleepingComputer, the blockchain company underlines that its network has not been impacted and that the platform’s hardware and software systems remain secure.
“Some of the data accessed as part of this incident pertained to customers who purchased on Ledger.com using Global-e as a Merchant of Record,” the company told BleepingComputer.
Out of an abundance of caution, Ledger, the maker of the namesake self-custodial hardware wallets, is warning its customers that the third-party data breach exposed their names and contact information.
On-chain investigator ZachXBT published a community alert with the notification from Ledger:
.png)
The Global-e platform handles checkout, order processing, localization, taxes, duties, and compliance for multiple online retailers and brands. Among its customers are Bang&Olufsen, adidas, Disney, Givenchy, Hugo Boss, Ralph Lauren, Michael Kors, Netflix, and M&S.
These services require storing customer order data, though Ledger specified that the exposed details do not include financial information.
According to Ledger, the hackers had access to order data present on Global-e’s systems. However, neither Global-e nor Ledger had access to customers’ 24-word seed phrases for accessing the crypto wallet, the blockchain balance, or any secrets related to digital assets.
“Importantly, no payment information was involved,” the company said, noting that attackers may try to target customers in phishing campaigns designed to steal their passphrases.
“We encourage everyone to be alert to any potential phishing campaigns, never disclose their 24 words, and always Clear Sign transactions where possible.” – Ledger
It was also specified that Ledger was not the only brand whose customer data was affected, and that the unauthorized party gained access to a Global-e cloud-based information system containing shopper order data from several brands.
BleepingComputer reached out to Global-e to learn more about the incident and the affected brands, but we have not received a response by publication time.
Ledger says that affected users will receive direct communication from Global-e about the incident and its impact. They are recommended to contact Global-e for more details.