As soon as he learned he was among the thousands of Ledger clients whose personal information was posted online on Sunday, JimboChewdip, as he is known on Twitter, acted quickly. Not fast enough.
JCD, as we’ll call it, changed its passwords Monday morning to receive a notification that a new device had been added to one of its two-factor authentication (2FA) accounts. Then he tried to log into his email. It was locked.
“Within minutes, I received notifications of password changes on Coinbase, Binance and Dropbox,” he later told CoinDesk. “I tried calling T-Mobile over WiFi, but it doesn’t work if the SIM card is disabled. So I reached out to her on Twitter and asked someone from support to block my account.”
At the same time, JCD posted a Twitter thread about the situation.
“When I got into my Coinbase Pro account and checked the balance, there was a sale of the coins I was holding on Bitcoin and a withdrawal of my entire account,” he said. “No answer from Coinbase support.” Around $ 2,000 worth of cryptocurrency was gone.
While he cannot prove that the SIM swap attack carried out against him was linked to the ledger leak, “the timing is certainly suspect,” he said.
The data dump showed that anyone could see 1 million email addresses and 272,000 names, postal addresses, and phone numbers of people who ordered Ledgers devices that store the private keys for cryptocurrency wallets. The number of those affected was much higher than the 9,500 the company estimated when it announced a hack in July.
The incident shows the tangible damage such leaks can cause, the multiple ways in which people’s data can be compromised, and raises questions about how and if certain data should be retained in the first place. When someone ends up in a central repository of sensitive information, everything is there to be ingested and then shared.
Continue reading: Social Engineering: A Plague On Crypto And Twitter That Is Unlikely To End
Hackers take advantage of the situation in a variety of ways, including using the data to carry out SIM swap attacks such as against JCD. In such an attack, employees of a telecommunications provider are tricked into porting the victim’s phone numbers to the attacker’s device. In this way, the attacker can use or bypass 2FA, for example to access crypto wallets or social media profiles.
More threateningly, some users have received physical threats. In one case, a user allegedly received an email from someone who was trying to blackmail their cryptocurrency by saying they were “not afraid to break into their home”.
As the US government and some of the leading cybersecurity companies are hurt by a month-long cyber espionage campaign, the state’s data retention mandates may need to be re-examined.
“Data breaches are extremely common. The only difference from that [Ledger] One violation is that those affected are juicy, high-quality targets for spear phishers and scammers, ”said Jameson Lopp, chief technology officer (CTO) at crypto custody startup Casa. “As such, criminals will use more extreme efforts than any other data breach because the potential payout per target user is much higher.”
“Do not collect what you cannot protect. Personal information should be treated like toxic waste, ”says Jameson Lopp of Casa. (Dan Meyers / Unsplash)
On Tuesday, Paris-based Ledger tweeted that “there has been a new wave of phishing attacks since yesterday, physically threatening our users,” and that victims should never pay the ransom.
In an interview, Ledger CEO Pascal Gauthier primarily emphasized how sorry he was that he had hacked and that the subsequent leak had occurred in the first place.
“I want to emphasize how sorry we are because I think it is important for our customers to know that we are affected by the impact on them,” he said.
Continue reading: Why Ledger kept all this customer data in the first place
He said the first hack was due in part to the company scaling so quickly and that he and new chief information security officer Matt Johnson would announce a new data policy and plan to continue fixing the leaks in January.
Gauthier said the physical threats were likely phishing attempts and the company allegedly sent those emails in multiple languages, which means there is little chance that anyone would actually attempt to physically attack a user.
“When it comes to crypto, it is much cheaper and easier to conduct a phishing attack from your home than it is to attack someone at home,” he said. “Attackers will make the cheapest attacks, and phishing is definitely the cheapest attack before they do anything else.”
When other companies, including rival hardware wallet maker CoinKite, apparently announced in response to the leak that they would delete user data after a certain period of time, Gauthier questioned the legality of such measures, as tax requirements required that a subset of the User data must be retained for 10 years, he said. (“We adhere to Canadian regulations,” said a CoinKite representative from Toronto.)
Gauthier also noted that data breaches have steadily increased, and this is an issue that extends beyond ledgers.
“The problem of hacking and leaking your data is less a matter of case and more of timing,” he said.
“Delete as soon as possible”
Crypto trader Scott Melker put JCD in touch with Haseeb Awan, the CEO of Efani, a cybersecurity company focused on preventing SIM swap attacks. Efani offers 11 levels of authentication for SIM cards, but each account has at least seven steps of authentication if a user wants to replace the SIM card.
Awan helped JCD secure his number and PIN in a short amount of time. If he hadn’t, JCD said, a lot more damage could have been done.
“With the Ledger hack, we found that the call volume from our victim helpline has increased at least tenfold, and we assume that it will continue to increase with the upcoming vacation because the victims are not supported by their existing carriers” Awan said, “Criminals typically attack outside of business hours or on bank holidays because victims generally do not pay attention to their phones and cannot access support due to bank holidays.”
Continue reading: “Convincing” phishing attack targeted users of the Ledger hardware wallet
Awan said the ledger listing is a honeypot of potential criminals’ targets that will be used in various types of attacks over the next several months. Probably the most common ones include cell phone SIM swaps or email compromises. Cases of identity theft or access to someone’s physical address are less of a risk, he said.
Lopp said his biggest takeaway from the Ledger data dump was that “information wants to be free. In principle, it cannot be guaranteed that the data you have saved will not be lost. ”
The only foolproof way to prevent leaks is by not collecting any data at all, he said. The second best option is to only save data for as long as it is needed and automatically delete it when you are finished using it. According to Gauthier, this is being checked by Ledger.
Lopp added that while keeping email addresses long-term for marketing purposes is perfectly understandable, customers’ names, physical addresses, and phone numbers are harder to justify after a delivery is complete and the return window has expired.
And it could have been worse: the leaked data was only from the last one or two orders, not the entire order history from 2014 when Ledger launched its first product.
“Do not collect what you cannot protect. Personal information should be treated like toxic waste, ”said Lopp. “When you need to collect PII [personal identifiable information] For business purposes, delete it as soon as possible to minimize the amount of data you have available at any given time. “
UPDATE (December 24th, 1:20 UTC): Added comment from competing hardware wallet manufacturer.