Physical addresses of 270K Ledger owners leaked on hacker forum

A threat actor has leaked the stolen email and mailing addresses for Ledger cryptocurrency wallet users on a hacker forum for free.

Ledger is a hardware cryptocurrency wallet that is used to store, manage, and sell cryptocurrency. The funds held in these wallets are secured using a 24-word recovery phrase and an optional secret passphrase that only the owner knows.

In June 2020, Ledger suffered a data breach after a website vulnerability allowed threat actors to access customers' contact details.

Today, a threat actor has shared an archive containing two files named 'All Emails (Subscription).txt' and 'Ledger Orders (Buyers) only.txt' that contain data stolen during the data breach.

The 'All Emails (Subscription).txt' text file contains the email addresses of 1,075,382 people who subscribed to the Ledger newsletter. The 'Ledger Orders (Buyers) only.txt' is more sensitive as it contains the names, mailing addresses, and phone numbers for 272,853 people who purchased a Ledger device.

Cybersecurity intelligence firm Cyble has shared the leaked file with BleepingComputer, and we have confirmed with Ledger owners that the data is accurate.

Ledger further confirmed in a tweet that this data dump is likely from the June 2020 data breach.

Today we were alerted to the dump of the contents of a Ledger customer database on Raidforum. We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020.

— Ledger (@Ledger) December 20, 2020

Cyble told BleepingComputer that this data was being sold privately in August 2020.

Data leak poses a significant security risk

The release of this data on a hacker forum poses a significant risk as it provides numerous threat actors data that can be used in phishing attacks against Ledger owners.

Since October 2020, Ledger users have already been bombarded with phishing emails pretending to be Ledger data breach disclosures. These emails tell the user to download a new version of Ledger Live to secure their cryptocurrency assets with a new security PIN.

When users download and install the fake Ledger Live app, they will be presented with prompts asking for the Ledger owner's secret recovery phrase and passphrase. This information is then sent to the attackers, who can use the recovery phrase to steal the victim's cryptocurrency assets.

Threat actors can use this data to create highly targeted phishing campaigns that target not only an owner's email address but also their mailing address.

Using the leaked mailing addresses, convincing and elaborate scams can be crafted to trick users into revealing sensitive information, such as their recovery phrase.

What should Ledger owners do?

First and foremost, never tell anyone your Ledger recovery phrase or your secret passphrase and never enter it into any app or website. These phrases should only be entered on a Ledger device you are trying to recover.

If you receive postal mail about your Ledger device, do not act upon it or visit any site listed in the letter. Instead, contact Ledger support to confirm if the letter you received is a scam.

As phone numbers were also released, threat actors could attempt to perform a number transfer, or SIM swap attack, on your mobile account. You should contact your cellular provider and see if they can enable a protection that blocks number transfers.

Finally, disregard any emails claiming to be from Ledger stating that you were affected by a recent data breach, that your hardware device has been deactivated, or asking you to confirm a transaction. These are all phishing scams that are attempting to steal your cryptocurrency.

Ledger has released a web page where they list the various phishing scams targeting Ledger owners, and it is an excellent page to consult so that you do not fall victim to a scam.