Is anyone else starting to become a bit excited?

dougal0691 · 21-12-2020 12:38PM

that leak is kind of scary, just found 2 people on the list that I know. whats the best alternative to the ledger as I really have more money on exchanges than I'm comfortable with.

makeorbrake · 21-12-2020 12:42PM

Here's a better link - that will show all the data that has been exposed.

Elessar · 21-12-2020 12:47PM

makeorbrake wrote: »

Not true? Are you saying that you have been getting ledger phishing emails yet you're not on the breach list?

Here's a better link - that will show all the data that has been exposed.

No I'm just saying that if your email is on the list, it doesn't necessarily mean your name, address and phone number are on it.

unkel · 21-12-2020 12:48PM

td2008 wrote: »

Once you have the private key it doesn't matter if the drive itself fails.

So what's the added value of the drive then?

makeorbrake · 21-12-2020 12:49PM

Elessar wrote: »

No I'm just saying that if your email is on the list, it doesn't necessarily mean your name, address and phone number are on it.

Whatever data you provided at the time should be on it, I believe. I've been given quite the schooling on this - as I'm on there - living in a country where violent crime has been a national pass time for the last 60 years. Lesson learnt!

donnaille · 21-12-2020 12:49PM

makeorbrake wrote: »

Input your email address here and that will confirm if you're part of the breach. If you've been getting those emails, you almost certainly are. That means the physical address, email address, your name and phone number provided are all exposed.

Aside from phishing emails, anyone on that list could be subject to a $5 wrench attack or sim swapping.

Some have suggested that their data was compromised despite having requested that ledger delete their data. I hope that the company get nailed to the cross under GDPR. The company claimed that only a fraction of their database had been hacked. It's possible that this action alone led the hackers to make this data available to anyone.

In the longer run, it's probably for the best though - as it highlights to all of us that if you submit data to a third party, there's every chance that data will be compromised. Probably best to assume that from the outset.

I'm in the email list, but I'm not in the customer details database, even though I bought a Ledger in the period that data was stolen.

unkel · 21-12-2020 12:50PM

makeorbrake wrote: »

Here's a better link - that will show all the data that has been exposed.

LOL, all revenue commissioners in all countries in the world have taken a copy of that

Get yourselves ready for a sweet wee audit...

makeorbrake · 21-12-2020 12:51PM

donnaille wrote: »

I'm in the email list, but I'm not in the customer details database, even though I bought a Ledger in the period that data was stolen.

Interesting - lucky you!

td2008 · 21-12-2020 12:53PM

unkel wrote: »

So what's the added value of the drive then?

You physically need to use the drive to access all of your crypto - for sending/receiving

The private key just allows you to rebuild the drive again

donnaille · 21-12-2020 12:53PM

makeorbrake wrote: »

Interesting - lucky you!

Luckily I've moved from the address (and country from the time) in any case, but main point is that you may get the phishing emails from being on the mailing lists alone.

makeorbrake · 21-12-2020 12:56PM

donnaille wrote: »

Luckily I've moved from the address (and country from the time) in any case, but main point is that you may get the phishing emails from being on the mailing lists alone.

I've also moved - but in theory I'd have exposure to a sim swapping attack.

makeorbrake · 21-12-2020 01:03PM

unkel wrote: »

LOL, all revenue commissioners in all countries in the world have taken a copy of that

Get yourselves ready for a sweet wee audit...

hmm..unless you went peer to peer, revenue will have access to all data from the major exchanges once they request it and do a crypto-related audit. It could be more interesting from a policing point of view.
What if you had your list from the major exchanges and you compared that with the ledger list. If you weren't getting your crypto via the exchange, it could leave a very interesting short list open to investigation!:D

stockshares · 21-12-2020 01:07PM

makeorbrake wrote: »

Input your email address here and that will confirm if you're part of the breach. If you've been getting those emails, you almost certainly are. That means the physical address, email address, your name and phone number provided are all exposed.

Aside from phishing emails, anyone on that list could be subject to a $5 wrench attack or sim swapping.

Some have suggested that their data was compromised despite having requested that ledger delete their data. I hope that the company get nailed to the cross under GDPR. The company claimed that only a fraction of their database had been hacked. It's possible that this action alone led the hackers to make this data available to anyone.

In the longer run, it's probably for the best though - as it highlights to all of us that if you submit data to a third party, there's every chance that data will be compromised. Probably best to assume that from the outset.

makeorbrake wrote: »

Here's a better link - that will show all the data that has been exposed.

Pwned says my email was included but it didn't show in the 2nd link.

Would I have to contact ledger to see if home address was included?

How do people handle their accounts and signups after these breaches? Do you have to change your email address with every company or site that has it?

Edit:
I also want to apologise to people here for recommending Ledgers during the Black Friday Sale. I had no idea that buying them could lead to Home Address and Account details being exposed.

makeorbrake · 21-12-2020 01:10PM

stockshares wrote: »

Would I have to contact ledger to see if home address was included?

Don't believe the info they provide you with if you do. I'm reading reports on crypto-twitter of guys having done so and Ledger confirming that only their email was exposed (when the subsequent dump revealed that other data was exposed).

If it's not in the raw data then I guess it's not there...although its weird that Pwned confirmed that its included. Double check it.

LedgerSuck · 21-12-2020 01:11PM

unkel wrote: »

So what's the added value of the drive then?

A hardware wallet is simply a way to confirm transactions to/from your wallet without needing to input your seed phrases on an internet connected device, e.g. phone or PC

makeorbrake · 21-12-2020 01:13PM

stockshares wrote: »

How do people handle their accounts and signups after these breaches? Do you have to change your email address with every company or site that has it?

It would be best to have a unique email address for each exchange sign up and for stuff like this. It's a lot of work - but its better opsec.
Also a voip number rather than regular mobile number so you can't get sim swapped.

LedgerSuck · 21-12-2020 01:17PM

makeorbrake wrote: »

I've also moved - but in theory I'd have exposure to a sim swapping attack.

Make sure to not use texts/SMS as your authentication method, use an authenticator app, they're much more secure and it's actually straightforward to setup. Do this on your email account and exchanges and make sure you've a good unique password for each as well

Bob24 · 21-12-2020 01:17PM

unkel wrote: »

I always had grave concerns about those ledgers. Not only from a security point of view, but also from a reliability point of view. Solid state media is extremely vulnerable to failure. That's why I never bought one.

The most important piece is your seed phrase. Once you keep it safely, if your device fails you can just buy a new one and restore access to you funds.

donnaille · 21-12-2020 01:18PM

There are over 1mn. email addresses included in the email list file and 273k customer details on the orders extract - so there is a chance your address does not appear (at least not in the dataset that is currently circulating).

LedgerSuck · 21-12-2020 01:22PM

stockshares wrote: »

Pwned says my email was included but it didn't show in the 2nd link.

Would I have to contact ledger to see if home address was included?

How do people handle their accounts and signups after these breaches? Do you have to change your email address with every company or site that has it?

Edit:
I also want to apologise to people here for recommending Ledgers during the Black Friday Sale. I had no idea that buying them could lead to Home Address and Account details being exposed.

Fair play. It's really weird but so many people on r/cryptocurrency are defending them and still recommending them

RoboRat · 21-12-2020 01:25PM

Wow, Ledger really shot themselves in the foot. That's a massive data breach and it's not just email addresses. I can see them getting a substantial GDPR fine because this is a very serious case and risks someone getting physically robbed.

I do wonder if the sites publishing the data, although doing it for the right reasons, also risk getting fined? Waaaaay too much info out there right now.

makeorbrake · 21-12-2020 01:25PM

LedgerSuck wrote: »

Fair play. It's really weird but so many people on r/cryptocurrency are defending them and still recommending them

Hmm...can't really defend this. This is not like any other breach. This data is a far greater honeypot than your typical breach given what's involved. Ledger's screw up here is symptomatic of a sector that has to become far more professional.

stockshares · 21-12-2020 01:28PM

makeorbrake wrote: »

Don't believe the info they provide you with if you do. I'm reading reports on crypto-twitter of guys having done so and Ledger confirming that only their email was exposed (when the subsequent dump revealed that other data was exposed).

If it's not in the raw data then I guess it's not there...although its weird that Pwned confirmed that its included. Double check it.

I just double checked. Pwned say my email is included but the 2nd link says it isn't.

Btw I am getting phishing emails which have increased in volume in the last few days

makeorbrake wrote: »

It would be best to have a unique email address for each exchange sign up and for stuff like this. It's a lot of work - but its better opsec.
Also a voip number rather than regular mobile number so you can't get sim swapped.

I do use separate email addresses for exchanges but I used my main email for Ledger.

Do I need to change this email address with every company Im signed up to? I'm worried about Utility companies who would have my bank account details for example.

donnaille wrote: »

There are over 1mn. email addresses included in the email list file and 273k customer details on the orders extract - so there is a chance your address does not appear (at least not in the dataset that is currently circulating).

Can the orders extract be checked?

LedgerSuck · 21-12-2020 01:30PM

makeorbrake wrote: »

Hmm...can't really defend this. This is not like any other breach. This data is a far greater honeypot than your typical breach given what's involved. Ledger's screw up here is symptomatic of a sector that has to become far more professional.

Spot on, the fact that they downplayed it makes me wish the company would go under tomorrow and all involved get huge fines.

Does anyone know what we can actually do as individuals with regards to lodging complaints about this? Who would we contact?

stockshares · 21-12-2020 01:31PM

RoboRat wrote: »

Wow, Ledger really shot themselves in the foot. That's a massive data breach and it's not just email addresses. I can see them getting a substantial GDPR fine because this is a very serious case and risks someone getting physically robbed.

I do wonder if the sites publishing the data, although doing it for the right reasons, also risk getting fined? Waaaaay too much info out there right now.

What are the right reasons?

LedgerSuck · 21-12-2020 01:32PM

RoboRat wrote: »

Wow, Ledger really shot themselves in the foot. That's a massive data breach and it's not just email addresses. I can see them getting a substantial GDPR fine because this is a very serious case and risks someone getting physically robbed.

I do wonder if the sites publishing the data, although doing it for the right reasons, also risk getting fined? Waaaaay too much info out there right now.

All those lads would definitely be using Tor and other means to stay anonymous so they wouldn't be worrying about anything like that

Think it was the lad I linked on Twitter, but apparently he got a DM talking **** about leaking it because supposedly people were paying six figures for the data

Bob24 · 21-12-2020 01:32PM

stockshares wrote: »

Edit:
I also want to apologise to people here for recommending Ledgers during the Black Friday Sale. I had no idea that buying them could lead to Home Address and Account details being exposed.

I believe the list comes from a data leak which occurred in these summer. If I am not mistaken you are off the hook :-)

makeorbrake · 21-12-2020 01:32PM

stockshares wrote: »

Can the orders extract be checked?

There are two separate dumps shown - one is a mailing list (email only). The other includes the details of those who actually bought a ledger.

stockshares wrote: »

Do I need to change this email address with every company Im signed up to?

I think its a case of being doubly vigilant re. phishing emails. Where mobile number and address has been exposed, they offer greater (and much different) risk i.e. physical attack and sim swapping attack.

LedgerSuck · 21-12-2020 01:39PM

stockshares wrote: »

What are the right reasons?

Making the actual data available for everyone who was affected by it, since Ledger wouldn't even have the decency to be honest with us as customers about whether we were part of the group with personal information leaked

Bob24 · 21-12-2020 01:39PM

stockshares wrote: »

Would I have to contact ledger to see if home address was included?

If you email their data protection officer and query this as a GDPR request, they have a regulatory obligation to provide a clear answer to you.

In theory they also had an obligation to proactively let you know if you were impacted, but they clearly failed to do so for most people.

AFIK every single person in the EU who wasn’t notified when they should have been is also entitled to file a complaint with their national data protection authority (the DPC in Ireland) and seek sanctions against Ledger for a breach of GDPR.

Is anyone else starting to become a bit excited?

Comments