Major cryptocurrency hardware wallet provider Ledger experienced a data breach.
The company said it was made aware of the breach on July 14 when a researcher participating in its bounty program reached out with details of a potential vulnerability on their website.
While they were able to fix the breach immediately, a further investigation found that an authorized third party carried out a similar action on June 25.
The individual used an API key to access the marketing and e-commerce database the company used to send promotional emails.
This compromised the email addresses of almost one million people.
For a subset of 9,500 customers, details such as first and last name, postal address, and phone number were also exposed.
Source: https://cointelegraph.com/news/data-breach-at-crypto-wallet-firm-ledger-exposes-users-personal-info
TPRM report: https://scoringcyber.rankiteo.com/company/ledgerhq
"id": "led213813123",
"linkid": "ledgerhq",
"type": "Data Leak",
"date": "06/2020",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"
{'affected_entities': [{'customers_affected': ['Almost one million',
'9,500 with additional details'],
'industry': 'Cryptocurrency Hardware Wallet',
'name': 'Ledger',
'type': 'Company'}],
'attack_vector': 'API Key Misuse',
'data_breach': {'number_of_records_exposed': ['Almost one million',
'9,500 with additional details'],
'personally_identifiable_information': ['First and last names',
'Postal addresses',
'Phone numbers'],
'type_of_data_compromised': ['Email addresses',
'First and last names',
'Postal addresses',
'Phone numbers']},
'date_detected': '2020-07-14',
'description': 'Major cryptocurrency hardware wallet provider Ledger '
'experienced a data breach. The company said it was made aware '
'of the breach on July 14 when a researcher participating in '
'its bounty program reached out with details of a potential '
'vulnerability on their website. While they were able to fix '
'the breach immediately, a further investigation found that an '
'authorized third party carried out a similar action on June '
'25. The individual used an API key to access the marketing '
'and e-commerce database the company used to send promotional '
'emails. This compromised the email addresses of almost one '
'million people. For a subset of 9,500 customers, details such '
'as first and last name, postal address, and phone number were '
'also exposed.',
'impact': {'data_compromised': ['Email addresses',
'First and last names',
'Postal addresses',
'Phone numbers']},
'response': {'remediation_measures': 'Fixed the breach immediately'},
'threat_actor': 'Authorized Third Party',
'title': 'Ledger Data Breach',
'type': 'Data Breach',
'vulnerability_exploited': 'Unauthorized Access to API Key'}