On the 14th of July 2020, a researcher participating in the Ledger bounty program made them aware of a potential data breach on the Ledger website. They immediately fixed this breach after receiving the researcher’s report and underwent an internal investigation. A week after patching the breach, they discovered It had been further exploited on the 25th of June 2020, by an unauthorized third party who accessed their e-commerce and marketing database – used to send order confirmations and promotional emails – consisting mostly of email addresses, but with a subset including also contact and order details such as first and last name, postal address, email address and phone number. Your payment information and crypto funds are safe.
To be as transparent as possible, the company want to explain what happened. An unauthorized third party had access to a portion of their e-commerce and marketing database through an API Key. The API key has been deactivated and is no longer accessible.
What personal information was involved?
Contact and order details were involved. This is mostly the email address of their customers, approximately 1M addresses. Further to investigating the situation they have also been able to establish that, for a subset of 9500 customers were also exposed, such as first and last name, postal address, phone number or ordered products.
Those 9500 customers whose detailed personal information are exposed will receive a dedicated email to share more details.
Regarding your ecommerce data, no payment information, no credentials (passwords), were concerned by this data breach. It solely affected the customers’ contact details.
This data breach has no link and no impact whatsoever with the hardware wallets nor Ledger Live security and your crypto assets, which are safe and have never been in peril.You are the only one in control and able to access this information.