Is anyone else starting to become a bit excited?

unkel wrote: »

Unless of course you shout out to the world that you have a hardware wallet. This sounds of course like I'm talking with hindsight about this data breach, but I'd rather a software wallet under the radar, that nobody knows about and very unlikely anyone is coming to look for it or come across it by accident

Yes, but obviously none of us knew ordering from them that they'd be this **** at something so basic. Since their product was actually good, you'd expect them to be secure overall. But lesson learned

When you say software wallet though, I hope you're talking about a cold wallet if it's for a substantial amount, i.e. you sign transactions offline using a PC that's never connected to the internet. This would of course be an even better/safer option than a hardware wallet as it'd be possible to go completely under the radar with it, but it's just a bit more complicated for some. As has been said in here before anyway, the most important thing out of everything in this space is securely storing your seeds - you cannot lose your money if your seeds are secure

Bob24 wrote: »

If you email their data protection officer and query this as a GDPR request, they have a regulatory obligation to provide a clear answer to you.

In theory they also had an obligation to proactively let you know if you were impacted, but they clearly failed to do so for most people.

AFIK every single person in the EU who wasn’t notified when they should have been is also entitled to file a complaint with their national data protection authority (the DPC in Ireland) and seek sanctions against Ledger for a breach of GDPR.

We should find out the process for certain and have a separate thread on here with that information so anyone else impacted by it knows what to do, the more people doing it the better.

Better again if a huge amount of people from the crypto subreddits do the same

Bob24 wrote: »

And the irony is that people who ordered directly from Ledger are actually the most cautious type of users.

I.e. many of them purposely didn’t order from an online retailer or buy form a physical shop, in order to get the device straight from the manufacturer and ensure it hadn’t been tempered with.

100%, we would've been safer ordering from Amazon, but you'd weighed up the risk of potential device tampering and getting it direct from the supplier was the obvious choice over that

stockshares wrote: »

The fact that they hadn't got it in them to let people know they were affected reflects very badly on them. Instead they just put up a general warning on their site about phishing and swept it under the carpet. I wont be recommending these anymore.

It is even worse. They originally said that only a few thousand people were impacted by the full leak (beyond just email addresses) and that anyone who is impacted by that full leak would be contacted individually with the details of what about them had been leaked.

So they gave a false impression of safety to anyone who wasn’t contacted in such manner ...

cnocbui wrote: »

I don't own a Ledger, or had anything to do with them, but I have been getting near daily 'Invest in Bitcoin, earn 40,000' emails. for about two weeks now, so the people behind that one are just using the shotgun approach and not a leak of Ledger data.

I'm going to make another plug for Samsung's Secure Folder/Knox tech that comes free on a lot of their higher end phones for the last 6 or 7 years now. It's an adequate and free substitute for a hardware wallet, IMO. Good way of securing important data like banking and financial apps in general, lists of passwords, etc. At one point, I think Trezor even made a hardware wallet App to be run from inside the Secure Folder, which mimic'd their hardware offering.

I presume it's only on their high end phones which makes it an expensive option. Would a 2nd phone with OTG Usb capability be suitable.

I was thinking if using one instead of a laptop.

I contacted ledger in Nov about breaches and this is what they replied at that time. They said to contact them on this email address if you have concerns on privacy.
privacy@ledger.fr

Email reply
Hello,
Thank you for contacting Ledger's technical support.
My name is Amandine​ and I will gladly assist you.

This is an email from our help desk, sent to you because your request didn’t receive a reply from our support team since Nov 24.

If you wish to access, correct, modify or delete the personal information we have gathered about you, object to their processing, exercise your right to portability, exercise any of the above-mentioned rights or simply obtain more information about the use of your personal data, please contact Ledger and its privacy Team at : privacy@ledger.fr.

We have been made aware that, in recent days, particularly aggressive phishing campaigns have circulated through social media, emailing and text messaging. We recently published an article detailing the process here.
You should definitely consider any communication asking for your 24-word recovery phrase IS a phishing attempt. Please consider this even if you have the impression that it comes from Ledger. For example a text message where the sender is « Ledger », an email like ledgersupport.com.

You would not give away your credit card pin code. The same goes for the 24 words.

These emails/sms are not coming from Ledger.
The content of the message will not necessarily ask for your private information, though once you'll download the fake application it will invite you to enter your recovery phrase to restore your device/cancel a fake transaction.

As a reminder and to avoid any confusion:

Never share your 24 words or confidential credentials with anyone and Ledger will never ask for it. Information on how to secure your 24-word recovery phrase is available here.

Always ensure that you are on ledger.com: No dot on top or below any letter, no typo (ledcger).

Always make sure to download the Ledger Live application from Ledger.com and;

Keep in mind that your 24-word recovery is the only backup to your private keys and that your PIN code protects the physical access to your Ledger device.

Please rest assured that Ledger continues taking all necessary steps to report such illicit content to competent authorities and we encourage users who have been victims of fraudulent activities while using their Ledger products to contact and/or file a complaint with their local law enforcement. You can read our announcement regarding phishing campaigns here and learn more on how to spot a phishing attempt here. As long as you haven't entered your 24 words, there is nothing you have to worry about. You can safely disregard the phishing attempt and block the sender.

If you did enter your 24-word recovery phrase on anything besides your Ledger device, you should consider your crypto assets as compromised and follow the process of lost recovery phrase recommended on this page.

Kind regards,
Amandine
Ledger Support

Note: we do NOT offer phone support.

Never share your 24-word recovery phrase with anyone, not even Ledger.

Follow our Customer Support Twitter page: https://twitter.com/Ledger_Support

stockshares wrote: »

I presume it's only on their high end phones which makes it an expensive option. Would a 2nd phone with OTG Usb capability be suitable.

I was thinking if using one instead of a laptop.

It's available on any of their phones that has a processor that includes ARM's Trust Zone security features, which is a lot (most?) of them these days and any models that use their Exynos series processors.

If the phone has Knox, then it can run the Secure Folder app. Back in 2014, yeah, only the higher end phones would have had it, but after that it filtered down to more mid level offerings.

For iPhone and Apple admirers, their 'secure enclave' is basically just Apple re-branding ARM's 'Trust Zone' in the same way they do with a lot of other people's tech to make it seem they invented it.

In the last couple of years, Samsung have used the same tech to provide their own specifically crypto focused features on their flagships.

cnocbui wrote: »

It's available on any of their phones that has a processor that includes ARM's Trust Zone security features, which is a lot (most?) of them these days and any models that use their Exynos series processors.

If the phone has Knox, then it can run the Secure Folder app. Back in 2014, yeah, only the higher end phones would have had it, but after that it filtered down to more mid level offerings.

For iPhone and Apple admirers, their 'secure enclave' is basically just Apple re-branding ARM's 'Trust Zone' in the same way they do with a lot of other people's tech to make it seem they invented it.

In the last couple of years, Samsung have used the same tech to provide their own specifically crypto focused features on their flagships.

I asked amsung about which Models had Secure Folder pre installed.

Secure folder is available on Galaxy S20, S20+, S20 Ultra, Z Flip, Note10, Note10+, S10e, S10, S10+, Fold, Note9, S9, S9+, Note8, S8, S8+, S7 edge, S6 edge+, S6 edge and S6.

Other Samsung phones can download the Secure Folder from Google Play Store providing they are eligible to receive the One 2.5 update.

Some Samsung phones cannot use the secure Folder even if they have Knox security built in because they run an older OS than One 2.5

The phones below are eligible for One 2.5 update
M21. €190
A31 €199
A51 €238
M31 €269
M31s €280

I've been waiting for 3 weeks to get verified on coinbase...does anyone have a referral code for Binance or Kraken?

Bob24 wrote: »

If anyone still thinks the Ledger leak won’t lead to treats of physical violence against the people who are on the list :-/

https://twitter.com/rikuraisanen/status/1340970430920843265?s=21

From a Reddit thread over 2 weeks ago
Bolded emphasis mine.

You are conflating the Ledger device security and it's still robust features, with the actual security owed a customer by a company purporting to offer a security solution.

Yes, the device level security is robust.

Unfortunately Ledger have allowed a large amount of data to be become compromised that identifies thousands of device owners and makes the "weak link" in hardware wallet security instantly identifiable.

Blaming a ledger service provider or 3rd party?

Frankly it's a lazy cop out, so what if the data leaked from a Ledger contractor?

Did customers provide that 3rd Party their data? No, Ledger did and as such Ledger are responsible for the entirety of the chain of custody for that data.

It's not good enough to blame social engineering for the leak, the leak rather makes every customer who's info was leaked a target for social engineering attacks! Indeed in instances where the address has leaked? The attack vector is far easier, just break in, bring a hammer and break fingers until the password is shared.

It looks like Ledger has started to notify by email the 272000 people affected by the leak. Note that their email is still not completely honest (nor GDPR compliant) as it doesn’t mention the fact that phone numbers have been leaked.

https://www.reddit.com/r/ledgerwallet/comments/khmr2s/yes_like_272_000_people_i_won_to_the_ledger/

el diablo wrote: »

Where in my Ledger Live account can I see what email I used to register with Ledger? I don't remember ever receiving any email communication from them.

There is no Ledger account associated to the device/app.

What was leaked is their e-commerce database (I.e. list of people who placed orders directly with them).

unkel wrote: »

I like your username!

Did you actually just sign up to boards.ie just to bitch about this fook up?

I signed up to share the link to the database since it's actually important for people to know if they've been affected by it, seeing as there are thousands in Ireland

It takes all of about 30 seconds to sign up, it's really not that hard

Bob24 wrote: »

There is no Ledger account associated to the device/app.

What was leaked is their e-commerce database (I.e. list of people who placed orders directly with them).

It's got to be more than their e-commerce database IMO.
I bought my ledger from Amazon, I'm on the pwned list but a little more digging has shown no other immediately identifiable personal info nor have I been spammed to my mobile.

I think ledger may have an email newsletter list and their e-commerce list.
Both of which have been compromised.

I also note with no little amusement that they have been looking for a new DPO!
What a shítstorm to parachute into when you start your new job :pac:
And I say that as someone who has a lot of compliance and GDPR experience.

The French DPC is going to have a field day here and I'd be very surprised if ledger in their current form survive as a company after this.

banie01 wrote: »

I think ledger may have an email newsletter list and their e-commerce list.
Both of which have been compromised.

Yes correct, there are two separate data breaches. Their online orders history (name, email, phone number, and delivery address for over 250k customers) and their newsletter subscribers (email addresses only for over 1 million subscribers).

banie01 wrote: »

The French DPC is going to have a field day here and I'd be very surprised if ledger in their current form survive as a company after this.

Yes and the CNIL isn’t as utterly useless as our very own Helen Dixon lead DPC - they won’t drag their feet and refuse to carry-out their duty as the DPC has done with the Facebook case here. So I’d expect a fine to be issued within a year and without having to escalate the issue to national and European courts. Having said that I don’t think they would issue a fine large enough to completely impede the company.

I don’t know how severe the reputation damage will be though. Clearly many crypto enthusiasts are (rightly) very angry about this. But people who haven’t been impacted and newcomers to this space in the coming years might not see it as a show stopper to buy Ledger devices.

I give them a rather high chance of surviving this and thriving in the coming years (to be clear this is not me saying they didn’t mess-up - they did big time and behaved irresponsibly - but I am not sure this will kill their current business).