Crypto wallet company ledger has suffered another data breach that has seen users’ personal data, including names and contact addresses, “improperly accessed.”
The breach is linked to Ledger’s payment processor Global-e, which handles its payment processing and e-commerce services for the wallet maker’s online store.
Users were alerted to the breach on Monday by an email from Global-e, which was in turn shared by crypto sleuth ZachXBT, in which it says it “identified unusual activity on a portion of our network.”
According to the company, it immediately took action to contain and secure its systems and has “retained independent forensic experts to conduct an investigation.”
Global-e hasn’t revealed how many users may have been affected or exactly when the breach occurred but Ledger says that the incident “remains separate to the operations of any Ledger hardware device, software or platforms.”
It also moved to reassure its users, saying that Global-e “does not have access to your 24 words, blockchain balance, or any secrets related to digital assets.”
It does, however, suggest that users may want to “consider Clear Signing transactions where possible, and using Transaction Check when submitting transactions on the blockchain.”
Read more: Tangem wallet brute force vulnerability revealed by rival Ledger
Ledger’s ‘free’ support actually cost $10
Last year, Ledger faced criticism around its supposedly “free” support for “clear signing” for multisig users.
Specifically, the criticism revolved around the fact that the “free” service, which was initially praised as an important step to protect against attacks like February’s $1.5 billion ByBit hack, would actually cost $10 per transaction or 0.05% of the amount transferred, on top of gas costs.
Protos contacted Ledger CTO, Charles Guillemet for clarification, at which point he clarified that Multisig is a paid service, and that his initial announcement post contained “a typo.”
Read more: Ledger scammers are sending letters to steal your recovery phase
In an email to Protos, Ledger said, “Ledger was made aware of an incident at Global-e, an e-commerce partner for global brands and retailers, including Ledger.”
It continued, “This was not a breach of Ledger’s platform, hardware or software systems, which remain secure.
“For the avoidance of doubt, as the Ledger product is self-custodial, Global-e does not have access to your 24 words, blockchain balance, or any secrets related to digital assets.
“Importantly, no payment information was involved. Ledger takes data security seriously, and when informed by Global-e of the incident, Ledger worked with Global-e to help it notify impacted Ledger users with information relevant to them.”
The company also warned, “Neither Ledger nor Global-e will ever ask for users’ 24 words. We encourage everyone to be alert to any potential phishing campaigns, never disclose their 24 words, and always Clear Sign transactions where possible.
“We remain united with the industry at war against hackers and bad actors who are tirelessly trying to steal users’ information in the ecosystem and e-commerce space at large.”
Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.
Source: https://protos.com/ledger-confirms-customer-data-leaked-in-third-party-global-e-breach/