Leading cryptocurrency hardware wallet provider, Ledger, announced Wednesday that it suffered a data breach, which affected the personal information of thousands of users in late June.
According to a detailed report published by Ledger today, the breach occurred on June 25. The attacker accessed a part of the company’s e-commerce and marketing database, containing mostly email addresses used for sending order confirmation and promotional emails.
9,500 Users Exposed
Ledger further noted that the database also included a subset of contact and order information like users “first and last name, postal address, email address, and phone number.”
Although the database holds approximately 1 million email addresses, Ledger said further investigation revealed that only a subset of 9,532 customers had their personal information exposed. The company will contact the affected users via email, the report said.
Funds Are SAFU
Ledger confirmed that its hardware wallets, users’ funds, or payment information were not compromised.
“No payment information, no credentials (passwords), were concerned by this data breach. It solely affected our customers’ contact details,” the company said adding that,
“This data breach has no link and no impact whatsoever with our hardware wallets nor Ledger Live security and your crypto assets, which are safe and have never been in peril. You are the only one in control and able to access this information.”
Explaining the breach, the company said the attacker was able to gain unauthorized access to the database through an API key, which has been deactivated. Ledger noted that it discovered the exploit after patching the vulnerability, which was reported during its bug bounty on July 14.
After identifying the vulnerability, Ledger filed a report with the CNIL, the French Data Protection Authority, on July 17. Four days later, the company partnered with Orange Cyberdefense to evaluate potential damages caused by the breach and to identify potential data breaches.
The hardware wallet provider said it is “extremely regretful for the incident,” adding that it takes users “privacy very seriously.”