December 30, 2020 |James Messi
Understanding the Attack on Ledger’s User Data
An attack on Ledger initially left users in a state of unknown worry whether their data had been leaked or not. Thankfully, if you have an account with Ledger and have not received an email about the attack that happened in July, you are in the clear.
When the attack first happened, Ledger’s internal services indicated about 9,500 users had been compromised. After a welcomed third party investigation, it was found that over 1 million email addresses were leaked along with 272,000 names.
Understanding cyber attacks is always extremely helpful in preparing other cyber security measures for like attacks. Ledger was very upfront and honest about their attack and how it went down, thus giving other cyber security experts an edge when it comes to dealing with these types of attacks in the future.
Ledger’s next move was to take the value out of the hacker’s stolen information – release the data themselves so that users could find out if they urgently needed to change their information. An inconvenience for sure, but at least this way it could be dealt with quickly and in the open.
Since then, it seems that names found on these documents are more likely to be targets to phishing attacks. Since that is really the only use of the stolen information now, it’s not a surprise that the hackers are working this angle.
As with all crypto security, creating a safe password, changing it regularly and adding two factor authentication to all of your accounts is the best and easiest way to ensure that you do not fall victim to any of these scams.
What Happens Next?
The Ledger leak left many confused about why the data that was leaked was even kept to begin with. This is a reasonable concern, and a just criticism – but Ledger themselves may not have been entirely at fault here.
As with any crypto business, the more information that they keep the more attention they draw as a potential mark for hackers. Therefore it’s reasonable to believe that Ledger didn’t necessarily want to keep any user data that they have no use for. If a malicious third party were to find out that they were keeping additional information, of course the risk of an attack would rise.
So why keep this information? The answer is unfortunately simple: Ledger is required by law to keep some user data for a set time frame after specific transactions. It’s likely due to these laws that left the information out for the taking.
Of course, Ledger should still be held accountable for the breach, and they have been doing everything they can to fix what they are responsible for – but the problem of these crypto wallet companies storing sensitive information that is useless to them still persists.
Ledger released a FAQ about the breach and went on to explain exactly what happened and what a user that had their information stolen should do. In the FAQ it is laid out very clearly for the reader to find Ledger rather helpless to the fact that they need to store your data for longer than they would like.
Some solutions have been offered for how to protect yourself from a similar circumstance:
- Create a trashemail that can be used for these kinds of signups.
- Use an app to generate fake numbers for yourself.
- Make sure to use 2FA for everything, including email and phone services.
These aren’t perfect solutions, and they are rather inconvenient for any user that just wants to focus on the services that are provided, but in a world where your data is hotly pursued by hackers it’s important to do what you can to protect yourself.
So what happens next then? Do companies need to push back on these laws and make a stance for user privacy? Should companies still be required to hold this sensitive information long after its usefulness has run out?