Crypto wallet Legder was hit by a third-party data breach stemming from an external payment processor, Global-e, exposing the personal information of some customers.
Ledger is a reputable hardware crypto wallet security platform, where users’ private keys are stored offline. In turn, Global-e provides merchant services, including checkout, order processing, localization, tax, duty, and compliance, to various retail and corporate customers.
Other Global-e customers include Bang & Olufsen, Adidas, Disney, Givenchy, Hugo Boss, Ralph Lauren, Michael Kors, Netflix, and M&S, suggesting that they might be affected.
Crypto wallet platform Ledger confirms third-party data breach
Global-e said it responded by launching an investigation and implementing additional security controls after detecting unusual activity on its platform. It also retained the services of independent external cybersecurity experts, who confirmed the third-party data breach.
However, the third-party data breach did not affect Ledger.com’s IT infrastructure, hardware, or software products. It also only affected customers who had transacted using Global-e as a Merchant of Record.
Nevertheless, the third-party data breach leaked customers’ names and contact information, which is invaluable for hackers interested in phishing.
Additionally, neither Ledger nor Global-e accessed customers’ digital wallet secrets, suggesting that the clients’ crypto assets were not at an immediate risk. Similarly, Ledger is a self-custodial crypto wallet, meaning that the users’ security and account information are not shared with the platform or other vendors during transactions.
“For the avoidance of doubt, as the Ledger product is self-custodial, Global-e does not have access to your 24 words, blockchain balance, or any secrets related to digital assets,” Ledger’s spokesperson stated.
Nevertheless, attackers could target crypto wallet owners via phishing to lure them into disclosing their secrets. Subsequently, impacted customers should be on the lookout for unsolicited crypto-themed phishing messages requesting crypto wallet security details.
So far, it remains unclear how many crypto wallet owners were affected or when the third-party data breach occurred. The lack of transparency undermines user trust, on which Ledger is built.
Crypto wallet Ledger has a history of data breaches
The crypto wallet operator has experienced data breaches in the past. In 2020, Ledger was hit by a third-party data breach via its e-commerce partner Shopify, exposing the personal information of over 270,000 customers.
That information was posted on the infamous defunct hacking forum RaidForums. The third-party data breach triggered class action lawsuits, stemming from alleged attempted phishing and harassment allegations. In 2023, the crypto wallet platform also lost $500,000 after threat actors breached its systems.
