Ledger Users Vent as Attacks Begin, No Refunds From Company

The company itself is offering little assistance and no reimbursements to the escalating number of victims of its slipshod security.

The fallout from the second major data leak from the company that promised to be safer than keeping crypto on exchanges is intensifying. On December 21, a hacker leaked the details of as many as 270,000 Ledger customers to public forums.

That data, which includes email addresses, phone numbers, and even physical addresses, is now being hoovered up by scammers who are beginning their attack run.

SCAMMERS ARE GOING WILD

Sending fake emails pretending to be Ledger apologizing for the data leak and phishing you to install “latest version”

BEWARE!!

— Ivan on Tech (@IvanOnTech) December 21, 2020

Customers Vent

SIM swapping attacks have become a real and present danger due to the nature of the data leaked. Some users are already reporting that they have been targeted by this scam following the Ledger breach.

@ledger is hacked, and the next day I have my sim hacked! WTF. Its currently happening. No service on my phone, they got into authenticator app and are requesting password changes to several sites including @coinbase. #crypto Not even sure what to do.

— JimboChewdip (@jimbochewdip) December 22, 2020

In a nutshell, SIM swapping is when a malicious actor contacts the victim’s mobile service provider in order to convince the call center employee that they are indeed the victim themselves using their personal data.

The attacker then asks the provider to activate a new SIM card linked to the victim’s phone number on a new phone, which they are holding. With this, they can access 2FA security measures used by Ledger devices, reset passwords, and empty the wallets.

Aside from the obvious phishing scams, which have plagued Ledger users since their first data breach in June 2020, there is another threat of ransom attacks being employed since physical addresses were also leaked.

Casa HODL co-founder Jameson Lopp has had firsthand experience of such an attack when his home address was SWATted in 2017.

@ledger is hacked, and the next day I have my sim hacked! WTF. Its currently happening. No service on my phone, they got into authenticator app and are requesting password changes to several sites including @coinbase. #crypto Not even sure what to do.

— JimboChewdip (@jimbochewdip) December 22, 2020

Contacting Ledger is fruitless as the company refuses to assist its customers who have lost funds due to its negligence or otherwise. Ledger appears to be losing credibility fast as the backlash continues.

Ledger: No Reimbursements

Speaking to Decrypt, Ledger CEO Pascal Gauthier said that the company will not reimburse customers who have had their personal data leaked online.

“When you have a data breach of this magnitude for such a small company, we won’t reimburse for a million users, all the devices, that’s just not possible. It would just kill the company,”

Gauthier tweeted that funds on Ledger devices are still safe; however, this is clearly not the case as they can and have been removed with spurious transactions unauthorized by the owners.

The responses were vociferous, to say the least as there was not even an apology and the company appears to have washed its hands of the consequences and unimaginable fallout of the incident.