Ledger database leak and lessons to be learned
Ledger — the famous crypto currency hardware wallet vendor recently had the database of their e-commerce platform compromised and leaked in the public. This database contained personal identifiable information (PII) about their customers which has put a lot of people at risk of various crimes.
In this article, I would like to discuss with you the lessons to be learned from this database leak in order to reduce the attack surface and risk in the future, should there be a similar event.
Before we get into the list of precautions to take, let us first quickly assess the leaked database.
On December 20th 2020, it was discovered that the entire Ledger’s customer database was leaked and uploaded to various file sharing sites and discussion forums. This made it possible for anyone with access to Internet, to download the database and discover the personal details of people who have purchased the Ledger wallet in the past.
An archive file containing 2 text files was uploaded to file sharing sites.
The 2 files were:
All Emails (Subscription).txt
Ledger Orders (Buyers) only.txt
Geographical statistical information
The file, “Ledger Orders (Buyers) only.txt” contains the details of customers who purchased the hardware wallet from Ledger. The details were formatted as shown below:
email address | Full Name | physical address | country | phone number
We can gather some statistical information from this leaked database to get the count of number of people in each country in the world who were compromised
I crafted the following Linux command to generate these statistics:
$ cat ledger.txt | rev | cut -d “|” -f2 | rev | sed ‘s/^[ \t]*//;s/[ \t]*$//’ | sort | uniq -c | sort -r -n
91432 United States
23437 Germany
21127 United Kingdom
16481 France
12599 Canada
11277 Australia
8327 Spain
8257 Netherlands
7484 Poland
5507 Italy
4865 Russia
….
This gives us a quick idea about which countries’ have the maximum Ledger hardware wallet users. The complete list of statistics can be found here: https://pastebin.com/raw/hhuqKgsE
Lessons to be learned from this database leak
Now that we know the kind of data which was leaked, let us discuss the precautions which users can take in future while buying hardware wallets or any cryptocurrency related product.
Don’t disclose your home address
Since hardware wallets need to be shipped to the customer by the vendor, it is mandatory to provide a physical address at the time of purchase. Most users made the mistake of using their home address which has now put them at risk. If you are renting a property, you still have the option to relocate and change your address. However, if you are living in your own property, then you cannot quickly sell your house and move to a new location.
One way to avoid sharing your home address would be to share the address of your office or some kind of drop store where you can later come and collect your order.
Don’t use your regular personal email address
When making the purchase, you could either use a throwaway email address or create an email address which is dedicated for the purpose of purchasing hardware wallet only. By avoiding to use this email address on any other web platform, you can reduce the risk of being hacked and also attackers cannot correlate other personal information with your email address.
Don’t use your real name while making the purchase
In order to receive your order successfully, you don’t need to share your real name. There is no KYC (Know your Customer) in place which mandates you to share your real name.
Don’t use your regular phone number
Similar to the precaution taken with email address, you can follow the same practice for phone number too. Instead of using your regular phone number which you use for your day-to-day tasks, you could have a temporary SIM card (which is not linked to your personal identity) and provide that number while buying hardware wallet.
Don’t use your bank credit/debit card to buy the wallet
You are purchasing a wallet to store crypto currencies, wouldn’t it make more sense to purchase it using crypto currencies as well? That way, you can avoid revealing any personal details about yourself. To be even more cautious, you can consider using more privacy oriented crypto currencies such as Monero while purchasing, provided such payment methods are supported by the vendor.
Don’t disclose your crypto currency holdings to people
Last but not the least, avoid disclosing your crypto currency holdings to people in real life.
I hope these precautions will help you to reduce any risk while purchasing crypto currency related products in future.
