Why Ledger Kept All That Customer Data in the First Place

Sunday’s dump of customer emails and addresses serves as a sobering reminder that even a maker of hardware crypto wallets can become a data honeypot.

AccessTimeIconDec 21, 2020 at 4:32 a.m. UTC
Updated May 9, 2023 at 3:14 a.m. UTC
AccessTimeIconDec 21, 2020 at 4:32 a.m. UTCUpdated May 9, 2023 at 3:14 a.m. UTC
AccessTimeIconDec 21, 2020 at 4:32 a.m. UTCUpdated May 9, 2023 at 3:14 a.m. UTC

First, the good news, in a manner of speaking: Ledger customers can now see firsthand whether their personal information was exposed in the hack discovered in July.

Someone posted the complete lists of 1 million email addresses and 272,000 names, mailing addresses and phone numbers belonging to customers of the France-based maker of hardware cryptocurrency wallets. The latter list is a lot bigger than the number previously disclosed by Ledger (9,500). 

Asked about the discrepancy, a Ledger spokesperson said: "At the time of the incident, logs from a third-party application managing our database showed 9,500 individuals were impacted. Simultaneously, we were working with an external security organization to conduct a forensic review, which also confirmed 9,500 people." In an email sent to customers later Monday, Ledger said the details in the list of 272,000 "are not available in the logs that we were able to analyse." Customers whose information was in that list will be notified by email within 24 hours, the company said.

“It is a massive understatement to say we sincerely regret this situation. We take privacy extremely seriously,” Ledger said in a tweet storm Sunday. “Avoiding situations like this are a top priority for our entire company, and we have learned valuable lessons from this situation.” Among other steps, Ledger has hired a new chief information security officer and taken down 170 phishing sites since the breach, it said.

There are at least three file-sharing sites, reminiscent of the golden age of MP3 blogs, where you can download the two lists. I will not post the links but it took just a few minutes searching Twitter to find them. 

If you download the trove, please check for your own details, then delete it. If you keep the file, gawk at the names or gossip with friends about it, well, I’ll be very disappointed

Several of the email addresses in the data leak match those that received phishing emails from scammers seeking to defraud CoinDesk readers. 

As we reported in July, these scammers were copying legitimate CoinDesk newsletters, adding some fraudulent paragraphs and links about a crypto giveaway, and sending them to individuals who never signed up to receive CoinDesk emails to begin with. 

Casa CTO Jameson Lopp suggested in November that Ledger customers may have been targeted; Sunday's data dump supports that theory. 

Bigger picture

The bad news: O.K., it’s not news but Sunday’s data dump serves as a sobering reminder that even a maker of hardware crypto wallets can become a honeypot of sensitive data. (I'm using the term "honeypot" in the sense of "a valuable target for hackers," not "a decoy site to trap them.")

The reason is partly due to the marketing imperatives of a startup, and partly due to legal and regulatory requirements.

In an FAQ posted in July, the company said an attacker had accessed part of its marketing database through a third party’s API key that had been misconfigured on Ledger’s website. 

As soon as the breach was discovered, the key was deactivated, Ledger said. But not in time to prevent the rascals from accessing the lists and, apparently, selling them to phishing artists. 

Why would a third party have an API key? The FAQ goes on to explain:

Ledger e-commerce and marketing teams use a third-party solution (Iterable) to send and analyze transactional and marketing emails to customers who have bought products on ledger.com or have signed up to receive our newsletters. … In accordance with our Privacy Policy, as a data controller, we may transmit some of your data to third parties such as payment service providers (PSPs) infrastructure, logistics, and other services providers, within applicable contractual and legal frameworks.

That covers the emails. What about all those mailing addresses, names and phone numbers? Why not purge those after shipping the goods? Back to the FAQ:

For legal reasons, we are obliged to store some transactional information relating to our customers' contact details and their orders data. 

In accordance with the storage limitation principle set forth under applicable laws, we endeavor to retain data for no longer than the time required to comply with such legitimate and legal purposes, including satisfying any legal, accounting, tax, or other compliance reporting requirements. 

We may archive some of your personal data, with restricted access, for an additional period of time when it is strictly necessary for us to comply with our legal and/or regulatory archiving obligations and for the applicable statute of limitation periods. 

At the end of this additional period, your remaining personal data will be permanently erased or anonymized from our systems. If you purchased a product or a service from us, we may retain some transactional data attached to your Contact Details to comply with our legal, tax or accounting obligations for a maximum 10 years period set forth by French applicable laws, as well as to allow us to manage our rights (for example to assert our claims in Courts) during applicable French statutes of limitations. 

We also need to retain some of your personal data contained in this database, in order for us to answer your questions, to process potential claims, and to retain evidence for the criminal investigation.

In other words, sometimes companies’ hands are tied and they have to hold on to the toxic waste that is customer data even if they don’t want to. 

Take heart; there are ways to mitigate the risk of exposure even when ordering physical products, as CoinShares Chief Strategy Officer Meltem Demirors noted on Twitter

UPDATE (Dec. 21, 16:45 UTC): Added statement from Ledger spokesperson.

UPDATE (Dec. 21, 18:40 UTC): Added quote from Ledger email to customers.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.