On Monday a hacker dumped sensitive data stolen earlier this year from the Ledger cryptocurrency wallet’s website. The data was put up for grabs on sites frequented by criminals. And in a twist that surprised no one, the data is now actively being exploited in phishing campaigns.
An archive includes two files named “All Emails (Subscription).txt” and “Ledger Orders (Buyers) only.txt” that contain sensitive data from the breach. The first includes email addresses of 1,075,382 people who subscribed to the Ledger newsletter, according to the report.
The “Ledger Orders (Buyers) only.txt” reveals more sensitive data, as it contains the names and mailing addresses for 272,853 people who purchased a Ledger device, researchers told BleepingComputer.
What is on the Line
Ledger offers a hardware-based cryptocurrency wallets–secured by a 24-word recovery phrase and an optional secret passphrase that only the owner knows–where clients can store, manage, and sell cryptocurrency. Cryptocurrency wallets are designed to store the public and private keys used to receive or spend a specific cryptocurrency, and considered a safer alternative than storing this information on a computer.
A Ledger spokesperson told Threatpost in an email Monday that “the dumped content may be Ledger’s e-commerce database that was exposed during the data breach in June 2020,” although the company is still investigating.
“This database may be used by scammers for phishing attacks through emailing and text message campaigns,” the spokesperson said.
Ledger has been working to notify affected users via Twitter and responding to customer questions, while also reporting all tweets and Reddit posts that contain a link to the database, the spokesperson told Threatpost. In the meantime, the company is urging users to never share their 24-word phrase, and keep in mind that no one from the Ledger team would request that private information.
June Breach Blamed
Ledger officials became aware of a breach that occurred in June on July 14 when a researcher participating in its bug bounty program informed them of a potential issue with the company’s website, according to a blog post the company made on July 29.
While the initial attack was quickly mitigated, the cryptocurrency wallet was attacked again on June 25 “by an unauthorized third party who accessed our e-commerce and marketing database,” the company said.
The files access consisted mainly of email addresses but also contact and order details for clients to whom Ledger sends order confirmations and promotional emails. At the time, Ledger assured clients that their “payment information and crypto funds are safe.”
The company worked an external security organization to conduct a forensic review of the attack and confirmed that it impacted only 9,500 individuals, all of whom were personally contacted by Ledger Support, the spokesperson told Threatpost.
Origins of the Attack
The original hack traces back to an API key that gave an unauthorized third party access to part of Ledger’s e-commerce and marketing database. The company disabled the key soon after learning of the situation, officials said.
Still, there is evidence that threat actors have used the emails stolen from Ledger to target clients with phishing attacks, according to research from ProofPoint. Attackers use messages claiming to be from the company informing them that their Ledger assets may have been compromised or are at risk in some way.
If a victim takes the bait, the attackers backdoor the Ledger Live application, which allows them to steal users’ recovery phrases which in turn can be used by an actor “to generate a copy of the user’s private keys, allowing them to steal any digital currencies associated with those private keys,” according to ProofPoint.
Indeed, cryptocurrency wallets have been a target for threat actors due to the potential for financial gain. And while they are indeed considered a secure place for users to store their cryptocurrency assets, researchers in 2018 proved that wallets such as Ledger and Trezor are vulnerable to a number of different types of cyber attacks.
Threat actors seem to have since taken that info and run with it. Before the July attack on Ledger, researchers discovered widespread campaigns spreading malicious browser extensions abusing Google Ads and well-known cryptocurrency brands including Ledger to lure victims and eventually steal their cryptocurrency wallet credentials. Other wallets targeted in the campaign included Electrum, Exodus, Jaxx, KeepKey, MetaMask, MyEtherWallet and Trezor.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!